WebAssembly Micro Runtime Symlink Following Vulnerability in iwasm Package on Windows

A symlink following vulnerability has been identified in the WebAssembly Micro Runtime's (WAMR) iwasm package, affecting versions through 2.2.0 and versions built with libc-uvwasi on Windows. The vulnerability allows untrusted WebAssembly modules to escape the filesystem sandbox and access the host filesystem. This is achieved by creating a symlink that points outside of the preopened directory and opening it with a create flag, which creates a file on the host outside of the sandbox. If the symlink points to an existing file, it is also possible to open it and read its contents.

Impact

Exploitation of this vulnerability allows for unauthorized access to the host filesystem, bypassing the intended sandboxing restrictions. This could lead to the exposure of sensitive files or the creation of files in unintended locations.

Reproduction

To reproduce this vulnerability, build WAMR either before version 2.2.0 or with the 'WAMR_BUILD_LIBC_UVWASI' option enabled. After building WAMR, set up a preopen directory and a secret file. The secret file can be created by writing 'password' into a file named 'secret'. Then, build a WebAssembly module using the 'wasi' crate version 0.11, targeting the 'wasm32-wasip1' platform. The module should create a symlink pointing outside the preopened directory, link to an existing file outside the sandbox, and open the symlinked files to demonstrate the filesystem access. Finally, run the WebAssembly module with WAMR and check the filesystem for the created file outside the preopened directory.

Remediation

Users can upgrade to WAMR version 2.3.0 or later to address this vulnerability.