zrok copy writes attacker-controlled WebDAV paths outside the destination root

Vulnerability

Overview

The vulnerability resides in the zrok copy command when copying from a WebDAV or zrok drive controlled by an attacker (Bob) to a local filesystem target. Bob can return a DAV href containing path traversal sequences such as /../outside.txt. The sync pipeline stores this path in the source inventory and passes it to FilesystemTarget.WriteStream, which joins it with the target root without proper sanitization, resulting in file creation outside Alice's selected directory [1][2].

Exploitation

An attacker who has been granted access to a zrok share can exploit this by crafting a malicious WebDAV response with a path traversal payload. No additional authentication is required beyond the existing share access. The attack is triggered when the victim (Alice) runs zrok2 copy from the attacker-controlled share to a local directory [1][2].

Impact

Successful exploitation allows the attacker to write arbitrary files to any location on the victim's filesystem that the zrok process has write access to. This can lead to overwriting sensitive files, potentially enabling code execution or privilege escalation depending on the target system configuration [1][2].

Mitigation

As of the advisory publication date, versions 0.4.23 through 1.1.11 are affected. Users should update to a patched version once available and restrict access to zrok shares to trusted parties only [1][2].