Runtipi Unauthenticated Path Traversal Vulnerability Allowing Docker-Compose Overwrite and Remote Code Execution
Vulnerability
A path traversal vulnerability has been identified in Runtipi, a personal homeserver orchestrator, affecting versions 4.5.0 prior to 4.7.2. The vulnerability resides in the UserConfigController, where the absence of authentication allows remote users to exploit insecure URN parsing. This exploitation enables overwriting of the system's docker-compose.yml file. If the modified file is executed after a system restart, it can lead to remote code execution and compromise of the host filesystem.
Impact
Exploitation of this vulnerability allows for unauthorized overwriting of the docker-compose.yml file, resulting in remote code execution and compromise of the host filesystem when the changes are applied.
Reproduction
To reproduce this vulnerability, send a PUT request to the UserConfigController's updateUserConfig endpoint with a crafted URN that includes directory traversal characters. The request must include a payload that replaces the docker-compose.yml file with a malicious configuration. Once the file is overwritten, restart the Runtipi instance without using the command-line interface to apply the changes.
Remediation
Users are advised to update Runtipi to version 4.7.2 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.