Listen to this Post
This flaw in the OTLP exporter’s disk retry mechanism allows local users to inject, read, or exhaust telemetry blobs on multi-user systems, bypassing access controls.
Config: When `OTEL_DOTNET_EXPERIMENTAL_OTLP_RETRY=disk` is set but `OTEL_DOTNET_EXPERIMENTAL_OTLP_DISK_RETRY_DIRECTORY_PATH` is not, the exporter resolves the storage root to the shared system’s temporary directory via Path.GetTempPath().
Predictable Paths: The exporter creates fixed, signal-named subdirectories: traces, metrics, and `logs` under this shared root (e.g., `/tmp/traces` on Linux or `%TEMP%\traces` on Windows).
Injection Exploit: A local attacker with write access writes a crafted `.blob` file (e.g., injected.blob) into one of these predictable paths. The exporter’s `OtlpExporterPersistentStorageTransmissionHandler` scans these directories on its next retry interval (default 60s) and forwards the attacker’s blob to the OTLP endpoint as if it were legitimate telemetry.
Disclosure Exploit: A local attacker with read access reads `.blob` files written by the application (e.g., trace-12345.blob) to recover serialized telemetry payloads (spans, metrics, logs in Protobuf encoding), exposing sensitive data.
DoS Exploit: An attacker deposits numerous/oversized blob files, causing the retry handler to consume excess CPU/IO and potentially exhaust disk space.
Impact: Blob injection (integrity), telemetry disclosure (confidentiality), and resource exhaustion (availability).
Fix: Upgrade to patched versions (1.15.2+). Mitigations: disable disk retry in shared environments or explicitly set a directory with strict ACLs.
Platform: .NET
Version: 1.13.1–1.15.1
Vulnerability: Path traversal
Severity: Moderate (5.3)
date: 2026-04-27
Prediction: 2026-04-26 (v1.15.2)
What Undercode Say:
Check vulnerable configuration
grep OTEL_DOTNET_EXPERIMENTAL_OTLP_RETRY=disk /etc/environment
Identify vulnerable temp directory
dotnet script -e "Console.WriteLine(System.IO.Path.GetTempPath());"
Monitor blob directory
watch -n 5 'ls -la /tmp/{traces,metrics,logs}/.blob 2>/dev/null'
Exploit:
Blob injection (write permissions) echo "fake trace data" > /tmp/traces/injected.blob Telemetry disclosure (read permissions) cat /tmp/traces/.blob DoS (fill directory) dd if=/dev/zero of=/tmp/logs/padding.blob bs=1M count=1000
Protection:
- Upgrade to v1.15.2+
- Set `OTEL_DOTNET_EXPERIMENTAL_OTLP_DISK_RETRY_DIRECTORY_PATH` to secure path
- Restrict temp directory perms: `chmod 700 /custom/secure/path`
– Monitor for unexpected `.blob` files
Impact
- Integrity: Blob injection leading to arbitrary telemetry injection
- Confidentiality: Telemetry data disclosure
- Availability: Resource exhaustion (CPU/disk)
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
