Runtipi Backup Filename Injection Vulnerability Leading to Authenticated Remote Code Execution

A vulnerability in Runtipi versions 3.7.0 and above allows authenticated users to execute arbitrary system commands on the host server. This is achieved by injecting shell metacharacters into backup filenames, which the BackupManager fails to properly sanitize. The vulnerability arises when user-uploaded files are saved directly to the host filesystem with their original names, including malicious payloads. During the backup restoration process, these files are accessed and executed, leading to remote code execution.

Impact

Exploitation of this vulnerability allows for authenticated remote code execution on the host server.

Reproduction

To reproduce this vulnerability, upload a backup file through the 'POST /api/backups/:urn/upload' endpoint, using a filename that includes shell metacharacters, such as '$(id).tar.gz'. The BackupManager will store the file at a predictable path on the host filesystem. Then, use the 'POST /api/backups/:urn/restore' endpoint to restore the backup, referencing the injected filename. The system will execute the embedded command, demonstrating the successful exploitation of the vulnerability.

Remediation

Users are advised to update Runtipi to version 4.7.0 or later, where this vulnerability has been fixed.