Pyrofork Path Traversal Vulnerability in Media Downloading Method

A path traversal vulnerability has been identified in Pyrofork, an asynchronous MTProto API framework, in versions through 2.3.68. The issue arises in the 'download_media' method, which fails to properly sanitize filenames received from Telegram messages before using them to construct file paths. This flaw allows remote attackers to write files to arbitrary locations on the filesystem by sending documents with specially crafted filenames that include path traversal sequences or absolute paths. The vulnerability is exploited when the method is used with default filename settings, relying on the 'file_name' attribute controlled by the message sender.

Impact

Exploitation of this vulnerability could lead to arbitrary file writes, allowing attackers to place files in locations writable by the bot process. This could overwrite existing files, causing potential denial-of-service or configuration issues. In some deployment scenarios, it could even lead to code execution, especially if the bot runs with elevated privileges.

Reproduction

The vulnerability can be reproduced by using the 'download_media' method without specifying a custom filename. This will trigger the use of the 'file_name' attribute from the media object, which can be manipulated by the sender to include path traversal sequences. The resulting file path will escape the intended download directory, confirming the path traversal vulnerability.

Remediation

Users can upgrade to Pyrofork version 2.3.69, which addresses the vulnerability by sanitizing filenames to prevent path traversal. The recommended sanitization process involves removing any path components to keep only the basename, eliminating null bytes, and handling edge cases where the filename may be empty or contain only directory references.