Dumb Drop Path Traversal Vulnerability Allowing Arbitrary File Overwrite and Root Access

A path traversal vulnerability has been identified in Dumb Drop, a file upload application. This vulnerability allows users with upload permissions to overwrite arbitrary system files. The issue arises because the application does not properly sanitize file names before saving them, enabling the manipulation of file paths. Since the application runs in a Docker container as root by default, there are no restrictions on which files can be overwritten. Exploiting this vulnerability could involve injecting malicious payloads into files executed on a schedule or triggered by specific service actions. Additionally, the absence of required authentication for the service could grant unprivileged users root access, or allow access to those with a PIN.

Impact

Exploitation of this vulnerability could lead to a root shell on the server, as demonstrated in a proof-of-concept (PoC) that overwrites the server.js file with a payload that establishes a reverse shell. This PoC takes advantage of the path traversal vulnerability to execute arbitrary code as root.

Reproduction

To reproduce this vulnerability, upload a file through the '/upload/init' endpoint, specifying a file name that includes path traversal sequences to navigate out of the intended directory. The uploaded file will overwrite a system file, such as 'server.js'. After the upload, the application can be restarted to trigger the execution of the injected payload, which will establish a reverse shell connection to the attacker's listener.

Remediation

The vulnerability can be addressed by properly sanitizing user input to prevent path traversal, ensuring that file uploads do not include directory traversal sequences. Additionally, the application should be configured to run as an unprivileged user instead of root, if the base image allows for it.