Signal K Server Unauthenticated State Pollution Vulnerability Leading to Remote Code Execution

A vulnerability in Signal K Server versions prior to 2.19.0 allows unauthenticated attackers to manipulate the server's internal state through the '/skServer/validateBackup' endpoint. This state pollution targets a global variable, 'restoreFilePath', which is used by the '/skServer/restore' endpoint to manage file restorations. By exploiting this vulnerability, an attacker can overwrite critical configuration files, such as 'security.json' and 'package.json', potentially leading to account takeover and remote code execution. The vulnerability arises from the '/skServer/validateBackup' endpoint lacking authentication, allowing any user to upload malicious files that hijack the restore functionality.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, unauthorized access to administrative privileges, and potential denial of service by disrupting normal server operations.

Reproduction

The vulnerability can be reproduced by uploading a malicious zip file containing a crafted 'security.json' file through the '/skServer/validateBackup' endpoint. This action pollutes the 'restoreFilePath' variable with a path to the uploaded file. Once the restore process is initiated, the server extracts the malicious files, including the backdoor admin account details, which can then be used to exploit a separate command injection vulnerability for remote code execution.

Remediation

Users are advised to update Signal K Server to version 2.19.0 or later, where this vulnerability has been patched.