• Products
  • Openwall GNU/*/Linux server OS
  • Linux Kernel Runtime Guard
  • John the Ripper password cracker
    • Free & Open Source for any platform
    • in the cloud
    • Pro for Linux
    • Pro for macOS
  • Wordlists for password cracking
  • passwdqc policy enforcement
    • Free & Open Source for Unix
    • Pro for Windows (Active Directory)
  • yescrypt KDF & password hashing
  • yespower Proof-of-Work (PoW)
  • crypt_blowfish password hashing
  • phpass ditto in PHP
  • tcb better password shadowing
  • Pluggable Authentication Modules
  • scanlogd port scan detector
  • popa3d tiny POP3 daemon
  • blists web interface to mailing lists
  • msulogin single user mode login
  • php_mt_seed mt_rand() cracker
• Services
• Publications
  • Articles
  • Presentations
• Resources
  • Mailing lists
  • Community wiki
  • Source code repositories (GitHub)
  • Source code repositories (CVSweb)
  • File archive & mirrors
  • How to verify digital signatures
  • OVE IDs
• What’s new

[<prev] [next>] [day] [month] [year] [list]

Date: Wed, 26 Apr 2023 11:54:38 +0200 From: Matthias Gerstner <mgerstner@…e.de> To: oss-security@…ts.openwall.com Subject: Warpinator: Remote file deletion vulnerability (CVE-2023-29380)

Hi list,

this report is about a remote file deletion vulnerability in Warpinator [1].

Introduction

I already reviewed and found issues in Warpinator a while ago [2]. The openSUSE packager for Warpinator asked me for a follow-up review after updating to upstream release 1.4.3 which contained the fixes for CVE-2022-42725.

In the course of the review I found another vulnerability which is described in detail in the next section.

The Vulnerability

In the code base of version 1.4.3 the sender of a file also sends a list of `top_dir_basenames` to the peer. While there is now a verification of the `relative_path` on the receiving side, the `top_dir_basenames` are not verified at all. In `FileReceiver.__init__()` the following code is found:

``` for name in op.top_dir_basenames: try: path = os.path.join(self.save_path, name) if os.path.isdir(path): # file not found is ok shutil.rmtree(path) else: os.remove(path) except FileNotFoundError: pass except Exception as e: logging.warning(“Problem removing existing files. Transfer may not succeed: %s” % e) ```

If the sender is passing a string like “…/” as part of `top_dir_basenames` then this code will delete the complete parent directory of the download directory (by default ~/Warpinator) and thus the complete home directory of the receiving party. Any other files under control of the receiving party are similarly endangered by this remote DoS / integrity attack.

This can happen automatically if the receiving side is running Warpinator in trusted mode, both parties share the same non-default group key and unconfirmed file overwrites are allowed. If this is not the case then the receiving side will see a confirmation popup like

X wants to send \`../´

This message might not be very suspecting for an average end user. Other strings can be used here as well like an absolute path to the user’s home directory, which could be interpreted as correct, or overlooked.

I investigated whether the fact that this allows to delete the download directory completely could lead to a follow-up vulnerability to allow overwriting files in other paths again. This seems not to be possible though. The check of the `relative_path()` is stable enough to prevent this even if the download directory does not exist at all.

Affectedness

The problematic handling of `top_dir_basenames` was first introduced in upstream version 1.0.7.

Bugfixes

The remote file deletion vulnerability has been fixed upstream via commit 9aae768 [3].

The fact that this vulnerability escaped both upstream’s and my own review efforts during handling of CVE-2022-4272 confirmed earlier concerns I had about relying on a single line of defense in the Warpinator codebase. I recommended to upstream to use an isolation technique like Linux mount namespaces to prevent escapes from the destined download directory. In the light of this new security issue I additionally or alternatively recommended a redesign of the codebase to better separate trusted and untrusted codepaths.

Upstream used the 90 days embargo time we offered to implement isolation mechanisms either based on Linux namespaces through the Bubblewrap tool, or based on the Linux kernel’s landlock security module. Only if none of both can be established, Warpinator will run in a legacy mode. In this case the user will be warned about the weakened security.

The new Warpinator major version release 1.6.0 contains both the bugfix for this the remote file deletion issue as well as the added security layers.

Timeline

2023-01-25: I reported the newly found issue to upstream and offered coordinated disclosure. 2023-03-08: Upstream shared the core changes listed above with us, I reviewed them and gave feedback. 2023-04-05: I received CVE-2023-29380 from Mitre to track the file deletion issue and shared it with upstream. 2023-04-25: Upstream needed additional time for testing and integration. The 90 days maximum embargo period we offer ends and with the 1.6.0 release being available we agreed on the publication of all available information.

References

[1]: https://github.com/linuxmint/warpinator [2]: https://seclists.org/oss-sec/2022/q4/38 [3]: https://github.com/linuxmint/warpinator/commit/9aae768522b7bbb09c836419893802a02221d663

Best Regards

– Matthias Gerstner <matthias.gerstner@…e.de> Security Engineer https://www.suse.com/security GPG Key ID: 0x14C405C971923553

SUSE Software Solutions Germany GmbH HRB 36809, AG Nürnberg Geschäftsführer: Ivo Totev, Andrew Myers, Andrew McDonald, Boudien Moerman

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.