OpenDeck Path Traversal Vulnerability Allowing Arbitrary File Read

A path traversal vulnerability has been identified in OpenDeck, a Linux application for Elgato Stream Deck, in versions prior to 2.8.1. The vulnerability arises because the web server component, which listens on port 57118, fails to properly sanitize file path requests for installed plugins. This lack of validation allows attackers to manipulate the request path to traverse outside the intended directory and access any file that OpenDeck can read. Exploitation of this vulnerability could lead to the disclosure of sensitive user information, such as SSH keys or application credentials.

Impact

Exploitation of this vulnerability allows for arbitrary file read, with potential access to sensitive user data like SSH private keys, AWS credentials, browser profile data, and application config files containing secrets.

Reproduction

To reproduce this vulnerability, OpenDeck version 2.8.0 must be installed and running on a Linux machine. The local username, which is needed for the exploit, can be obtained by observing the screen while the victim is using the application. Once OpenDeck is running, a request can be sent to the web server on port 57118, including `../` sequences to traverse the file system and access sensitive files such as `~/.ssh/id_rsa`. This can be done using a proof-of-concept exploit available on CodePen.

Remediation

Users are advised to update OpenDeck to version 2.8.1 or later, where this vulnerability has been patched.