Halloy IRC Application Path Traversal Vulnerability in DCC Receive Flow

A path traversal vulnerability has been identified in the Halloy IRC application, written in Rust. Prior to commit 0f77b2c, the Direct Client-to-Client (DCC) receive process did not properly sanitize filenames from incoming DCC SEND requests. This oversight allowed remote IRC users to send filenames containing path traversal sequences, such as '../../.ssh/authorized_keys', which would be saved outside the user's designated save directory. With the auto-accept feature enabled, this exploitation required no user interaction. After commit 0f77b2c, all relevant code paths were updated to sanitize filenames using a shared function, addressing the vulnerability.

Impact

Exploitation of this vulnerability allows remote IRC users to write files to arbitrary locations on the victim's filesystem, potentially overwriting important configuration files or placing malicious executables in startup directories. This could lead to unauthorized execution of code or disruption of normal system operations.

Reproduction

The vulnerability can be reproduced by sending a crafted IRC message that includes a DCC SEND request with a filename containing path traversal sequences. This can be done using any IRC client or through a raw TCP connection to the IRC server. If the victim has auto-accept enabled, the file will be automatically saved to the traversed path. Alternatively, if manual approval is used with a configured save directory, the file will be saved to the same traversed location.

Remediation

Users can disable DCC file transfers altogether, which will mitigate this vulnerability. For those who wish to keep DCC transfers enabled, it's important to be aware of the save directory configuration, as manual approval of transfers can still lead to exploitation.