Assemblyline 4 Service Client Path Traversal Vulnerability Allowing Arbitrary File Write

A path traversal vulnerability has been identified in the Assemblyline 4 Service Client, specifically in versions prior to 4.6.1.dev138. The issue arises in the 'task_handler.py' file, where the client accepts a SHA-256 value from the service server and uses it as a local file name without any validation or sanitization. This flaw allows a malicious or compromised server, or a man-in-the-middle (MITM) attacker, to inject a path-traversal payload. As a result, the client can be manipulated to write downloaded data to an arbitrary location on the disk, potentially overwriting critical files or executing malicious scripts.

Impact

Exploitation of this vulnerability allows for arbitrary file writes, with the potential to overwrite any file that is writable by the service user ID, which is often root. This could lead to corruption of critical system files, exhaustion of disk space, or unauthorized code execution if the overwritten file is executable.

Reproduction

To reproduce this vulnerability, a server must be set up to return a path-traversal payload in response to a file download request. The Assemblyline 4 Service Client should then be used to request the file, which will result in the injected payload being written to an arbitrary location on the disk.

Remediation

Users can upgrade to Assemblyline Service Client version 4.6.1.dev138 or later, where this vulnerability has been fixed.