4.3-zipslip-rce

kkFileView ZipSlip Remote Code Execution

kkFileView is an open source document online preview solution.

In the version prior to 4.4.0-beta, kkFileView has a ZipSlip issue. Attackers can use this issue to upload arbitrary files to the server and execute code.

References:

https://github.com/luelueking/kkFileView-v4.3.0-RCE-POC

Vulnerable environment

Execute following command to start a kkFileView 3.4.0:

docker compose up -d

After the server is started, you can see the index page at http://your-ip:8012.

Exploit

First, generate a craft POC by poc.py:

python poc.py

A test.zip file will be written.

Upload test.zip and the sample.odt to the kkFileView server:

Then, click the "preview" button of test.zip, the zip file will be listed:

Finally, click the "preview" button of sample.odt.

You can see the touch /tmp/success has been executed successful:

Name		Name	Last commit message	Last commit date
parent directory ..
1.png		1.png
2.png		2.png
3.png		3.png
README.md		README.md
README.zh-cn.md		README.zh-cn.md
docker-compose.yml		docker-compose.yml
poc.py		poc.py
sample.odt		sample.odt

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

README.md

kkFileView ZipSlip Remote Code Execution

Vulnerable environment

Exploit

Uh oh!

FilesExpand file tree

4.3-zipslip-rce

Directory actions

More options

Directory actions

More options

Latest commit

History

4.3-zipslip-rce

Folders and files

parent directory

README.md

kkFileView ZipSlip Remote Code Execution

Vulnerable environment

Exploit