h2oai h2o-3 Arbitrary File Write Vulnerability Allowing Remote Code Execution

A vulnerability in h2oai/h2o-3 version 3.46.0.1 allows remote attackers to write arbitrary data to any file on the server. This is achieved by exploiting the '/3/Parse' endpoint to inject attacker-controlled data as the header of an empty file, which is then exported using the '/3/Frames/framename/export' endpoint. The vulnerability could lead to remote code execution and complete access to the system running h2o-3, as attackers can overwrite critical files such as private SSH keys or script files.

Impact

The vulnerability allows for arbitrary file writes, with the potential to overwrite sensitive files like private SSH keys or executable scripts, leading to remote code execution and full access to the system where h2o-3 is running.

Reproduction

To reproduce this vulnerability, start the h2o-3 server and note the IP address. First, upload a file consisting of a single space and a newline to create an empty frame. Then, parse the file by injecting attacker-controlled data into the header, specifying the destination frame and other parsing options. Finally, export the parsed data to a specified file path, where the injected data will be written.