Security Vulnerability Found #52
Comments
|
@jaharkes Can you please create a GHSA and request a CVE for this too? |
|
As I commented on the pull request, I don't see an actual exploitable vulnerability here because of the way the Diamond system is architected and deployed. The dataretriever process exists only to hide the differences between local and remotely stored files for the Diamond search process. The Diamond search scope and access validation happens in the diamondd process and as such the dataretriever is already treated as a non-trustworthy component in the chain. Because of this it only listens on the loopback interface, it runs as a non-privileged user, and the source of the object path that we normally see is obtained from the object index generated by the same dataretriever process and cannot be influenced by the (Diamond) application user. So in the normal setup this would only provide a possible local attack vector for people who have already compromised the system on which it is deployed. The whole point of the dataretriever is to give access to data. So once the system is locally compromised, we have loss of confidentiality and whether we use os.path.join or safe_join doesn't change that. |
|
@jaharkes Did you see my comment #53 (comment) on the PR?
This is not necessarily true. Let's say you have some other service running on some other port which has an open redirect/host-only SSRF an attacker can club them both and still exploit this vulnerability. Even if the service is only exposed on local, there is still a security vulnerability albeit a bit less severe. CVSS v3.1 considers |
|
Look, we can argue back and forth, but ultimately there are quite a few broken assumptions and bad code. You don't have to look far to find much easier to exploit vulnerabilities in this code. For one, we execute untrusted binaries sent by a client as "search filters", there is #21/#19 to remind us of that. In fact, there is your SSRF right there on the 'reexecute_filters' call. So what we're looking at here is a research project which tries to prove a concept, but wasn't really engineered to be a secure system to begin with. |
|
@jaharkes Sounds reasonable. |
Absolute Path Traversal due to incorrect use of
send_filecallA path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files. This attack is also known as “dot-dot-slash”, “directory traversal”, “directory climbing” and “backtracking”.
Common Weakness Enumeration category
CWE - 36
Root Cause Analysis
The
os.path.joincall is unsafe for use with untrusted input. When theos.path.joincall encounters an absolute path, it ignores all the parameters it has encountered till that point and starts working with the new absolute path. Please see the example below.Since the "malicious" parameter represents an absolute path, the result of
os.path.joinignores the static directory completely. Hence, untrusted input is passed via theos.path.joincall toflask.send_filecan lead to path traversal attacks.In this case, the problems occurs due to the following code :
opendiamond/opendiamond/dataretriever/augment_store.py
Line 164 in 7ded6b5
Here, the
obj_pathparameter is attacker controlled. This parameter passes through the unsafeos.path.joincall making the effective directory and filename passed to thesend_filecall attacker controlled. This leads to a path traversal attack.Proof of Concept
The bug can be verified using a proof of concept similar to the one shown below.
Remediation
This can be fixed by preventing flow of untrusted data to the vulnerable
send_filefunction. In case the application logic necessiates this behaviour, one can either use thewerkzeug.utils.safe_jointo join untrusted paths or replaceflask.send_filecalls withflask.send_from_directorycalls.Common Vulnerability Scoring System Vector
The attack can be carried over the network. A complex non-standard configuration or a specialized condition is not required for the attack to be successfully conducted. There is no user interaction required for successful execution. The attack can affect components outside the scope of the target module. The attack can be used to gain access to confidential files like passwords, login credentials and other secrets. It cannot be directly used to affect a change on a system resource. Hence has limited to no impact on integrity. Using this attack vector a attacker may make multiple requests for accessing huge files such as a database. This can lead to a partial system denial service. However, the impact on availability is quite low in this case. Taking this account an appropriate CVSS v3.1 vector would be
(AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L)[https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L&version=3.1]
This gives it a base score of 9.3/10 and a severity rating of critical.
References
This bug was found using CodeQL by Github
The text was updated successfully, but these errors were encountered: