Headline
CVE-2023-36654: CVCN
Directory traversal in the log-download REST API endpoint in ProLion CryptoSpike 3.0.15P2 allows remote authenticated attackers to download host server SSH private keys (associated with a Linux root user) by injecting paths inside REST API endpoint parameters.
Directory traversal in the log-download REST API endpoint in ProLion CryptoSpike 3.0.15P2 allows remote authenticated attackers to download host server SSH private keys (associated with a Linux root user) by injecting paths inside REST API endpoint parameters.
Introduction
CryptoSpike allows operators to download logs from the system through a dedicated section of the web management interface. In order to download logs, the web application leverages a REST API endpoint that is vulnerable to Directory Traversal when using as parameter a traversal path (i.e. containing “…/”), thus also allowing a malicious user to access confidential data not intended to be downloaded (e.g. private SSH keys that can be used to access all system host servers with highest privileges).
Steps to reproduce
To consume the vulnerable REST API endpoint, a valid JWT Bearer Token belonging to a CryptoSpike user is required. For the invocation to succeed, it is required the operator only having a role with the “Logs / DOWNLOAD” permission set to READ.
The REST API endpoint is named /logs/:filename under the “API-Gateway” service on the leader node (https://leaderhostname/api/v1/Server/logs/:filename) and will be invoked using a GET http request.
Specifying a nonexistent filename as :filename parameter will lead the system to return a low level error message containing the absolute path of the required file, thus revealing the potential directory traversal vulnerability on the endpoint:
In order to confirm this, it is possible to send another request with the same filename but with relative path (input string “…/downloads/NONEXISTENT” with URL encoding on all special characters), resulting in the same error message, with the same absolute path specified:
This confirms that the API is vulnerable to Directory Traversal attacks. Moreover, by analyzing the relevant Docker container filesystem being accessible via directory traversal, a sensitive file containing an unprotected SSH private key (input string “…/…/ssh/update_key” URL encoded as %2E%2E%2F%2E%2E%2Fssh%2Fupdate%5Fkey) has been detected, accessible via directory traversal:
By using this private key with an SSH command line client to connect to the host servers of CryptoSpike infrastructure (in the testing environment one Leader server and two Agent servers), the connection is correctly established without inputting a password and a remote shell is obtained as a user with the root privileges: