Closed Shashank-In closed 4 years ago
Short term suggested mitigations
ava
as a dedicated userava -http-host localhost
to restrict network access to the RPC interface (won't help if running wallet on the same host)ava
in a container such as Docker, or as a systemd service with namespaces applied (note to self, add that to #151)These are by no means fixes, and I'm not contesting the severity of this issue. I don't speak for AVA Labs.
@moreati Nope that won't be the best fix. The fix here would be to sanitize the input value of the file name.
Nope that won't be the best fix.
I totally agree, that's why I wrote "These are by no means fixes".
Brainstorming possibility fixes
$TMP
, ~/.gecko/profiles
, ava -profiles-dir /some/path
)
[a-zA-Z0-9_-]+
)
Fixed by #256. Namely:
Thanks again for your work on this :) @Shashank-In @moreati
Describe the bug As per the documentation, the following API is used to dump the current memory footprint of the node to the specified file.
I noticed in the code that the file name is not sanitized, which is a user-supplied input.
Hence a malicious attacker abuse this to overwrite an existing file on the server like main.go file Also, an attacker can overwrite files of other directories by suppling the fileName parameter as
"fileName":"../../some_config_file"
Impact A malicious user can overwrite an existing file which is required for the functioning of the application in the same or different directory. This could crash the application or maybe lead to command execution. For now, at least a configuration file can be overwritten with a memory dump value and make the file useless.
To Reproduce Tested on localhost mac. Find the steps and observations below.
File name as
file.txt
File created at
$GOPATH/src/github.com/ava-labs/gecko/
File name as
../../file.txt
File created at
$GOPATH/src/github.com/
So we can even overwrite files of other directories as well.
Expected behavior The file name should be sanitized and accept only alphabets (and maybe one ".")
Screenshots
Operating System MacOS Catalina
By submitting this issue I agree to the Terms and Conditions of the Developer Accelerator Program.