SecureDrop Client Path Traversal Vulnerability Leading to Code Execution

A path traversal vulnerability allowing code execution has been identified in the SecureDrop Client desktop application, used by journalists to communicate with sources via the SecureDrop Workstation. This vulnerability exists in SecureDrop Client versions prior to 0.14.1. The issue arises when the client downloads replies from a SecureDrop Server, which is a dedicated physical machine accessed only through Tor. The vulnerability can be exploited if a SecureDrop Server is compromised, allowing a malicious server to craft a response that exploits the client's reply handling process.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the SecureDrop Client's virtual machine, named 'sd-app'.

Reproduction

To reproduce this vulnerability, a reply must be downloaded from a compromised SecureDrop Server to the SecureDrop Client. The server can manipulate the 'Content-Disposition' header to include a malicious filename that exploits the path traversal vulnerability. Once the reply is downloaded, the SecureDrop Client's 'safe_move()' function will fail to move the file due to the detected path traversal, leaving the file in the chosen directory. This can be automated by crafting a reply that, when downloaded, triggers the vulnerability by writing an autostart file into a location that executes code on the virtual machine.

Remediation

Users should update the SecureDrop Client to version 0.14.1, which addresses the vulnerability by properly sanitizing filenames before use.