oss-sec mailing list archives
Warpinator: Remote file deletion vulnerability (CVE-2023-29380)
From: Matthias Gerstner <mgerstner () suse de>
Date: Wed, 26 Apr 2023 11:54:38 +0200
Hi list, this report is about a remote file deletion vulnerability in Warpinator [1]. Introduction ============ I already reviewed and found issues in Warpinator a while ago [2]. The openSUSE packager for Warpinator asked me for a follow-up review after updating to upstream release 1.4.3 which contained the fixes for CVE-2022-42725. In the course of the review I found another vulnerability which is described in detail in the next section. The Vulnerability ================= In the code base of version 1.4.3 the sender of a file also sends a list of `top_dir_basenames` to the peer. While there is now a verification of the `relative_path` on the receiving side, the `top_dir_basenames` are not verified at all. In `FileReceiver.__init__()` the following code is found: ``` for name in op.top_dir_basenames: try: path = os.path.join(self.save_path, name) if os.path.isdir(path): # file not found is ok shutil.rmtree(path) else: os.remove(path) except FileNotFoundError: pass except Exception as e: logging.warning("Problem removing existing files. Transfer may not succeed: %s" % e) ``` If the sender is passing a string like "../" as part of `top_dir_basenames` then this code will delete the complete parent directory of the download directory (by default ~/Warpinator) and thus the complete home directory of the receiving party. Any other files under control of the receiving party are similarly endangered by this remote DoS / integrity attack. This can happen automatically if the receiving side is running Warpinator in trusted mode, both parties share the same non-default group key and unconfirmed file overwrites are allowed. If this is not the case then the receiving side will see a confirmation popup like X wants to send `../´ This message might not be very suspecting for an average end user. Other strings can be used here as well like an absolute path to the user's home directory, which could be interpreted as correct, or overlooked. I investigated whether the fact that this allows to delete the download directory completely could lead to a follow-up vulnerability to allow overwriting files in other paths again. This seems not to be possible though. The check of the `relative_path()` is stable enough to prevent this even if the download directory does not exist at all. Affectedness ============ The problematic handling of `top_dir_basenames` was first introduced in upstream version 1.0.7. Bugfixes ======== The remote file deletion vulnerability has been fixed upstream via commit 9aae768 [3]. The fact that this vulnerability escaped both upstream's and my own review efforts during handling of CVE-2022-4272 confirmed earlier concerns I had about relying on a single line of defense in the Warpinator codebase. I recommended to upstream to use an isolation technique like Linux mount namespaces to prevent escapes from the destined download directory. In the light of this new security issue I additionally or alternatively recommended a redesign of the codebase to better separate trusted and untrusted codepaths. Upstream used the 90 days embargo time we offered to implement isolation mechanisms either based on Linux namespaces through the Bubblewrap tool, or based on the Linux kernel's landlock security module. Only if none of both can be established, Warpinator will run in a legacy mode. In this case the user will be warned about the weakened security. The new Warpinator major version release 1.6.0 contains both the bugfix for this the remote file deletion issue as well as the added security layers. Timeline ======== 2023-01-25: I reported the newly found issue to upstream and offered coordinated disclosure. 2023-03-08: Upstream shared the core changes listed above with us, I reviewed them and gave feedback. 2023-04-05: I received CVE-2023-29380 from Mitre to track the file deletion issue and shared it with upstream. 2023-04-25: Upstream needed additional time for testing and integration. The 90 days maximum embargo period we offer ends and with the 1.6.0 release being available we agreed on the publication of all available information. References ========== [1]: https://github.com/linuxmint/warpinator [2]: https://seclists.org/oss-sec/2022/q4/38 [3]: https://github.com/linuxmint/warpinator/commit/9aae768522b7bbb09c836419893802a02221d663 Best Regards -- Matthias Gerstner <matthias.gerstner () suse de> Security Engineer https://www.suse.com/security GPG Key ID: 0x14C405C971923553 SUSE Software Solutions Germany GmbH HRB 36809, AG Nürnberg Geschäftsführer: Ivo Totev, Andrew Myers, Andrew McDonald, Boudien Moerman
Attachment:
signature.asc
Description:
Current thread:
- Warpinator: Remote file deletion vulnerability (CVE-2023-29380) Matthias Gerstner (Apr 26)