pyLoad-ng Path Traversal Vulnerability in CNL Blueprint Leading to Remote Code Execution

A path traversal vulnerability has been identified in the 'addcrypted' endpoint of pyLoad-ng, specifically in versions 0.5.0b3.dev89 and earlier. This vulnerability allows unauthenticated attackers to write arbitrary files outside the designated storage directory. Exploitation of this issue can overwrite critical system files, such as cron jobs and systemd services, potentially leading to privilege escalation and remote code execution as root.

Impact

Exploitation of this vulnerability allows for arbitrary file writing outside the intended directory, with the potential to overwrite important system files. This could be used to escalate privileges and execute code remotely as the root user.

Reproduction

To reproduce this vulnerability, send a POST request to the '/addcrypted' endpoint with a crafted 'package' parameter that includes path traversal sequences, such as '../../..', followed by a filename that indicates a critical system file, like a cron job. The 'crypted' parameter should be base64-encoded data that, when decoded, represents a payload intended to be executed, such as a command to download and execute a script from an external server.

Remediation

Users should update to pyLoad version 0.5.0b3.dev90 or later, where this vulnerability has been fixed.