CTFer.io Monitoring Path Traversal Vulnerability Leading to Arbitrary File Write and Remote Code Execution

A path traversal vulnerability has been identified in the CTFer.io Monitoring component, specifically in versions prior to 0.2.2. The issue arises in the sanitizeArchivePath function within pkg/extract/extract.go, where a missing trailing path separator allows crafted tar archives to write files outside the intended directory. This vulnerability can be exploited using the extractor CLI tool or the extract.DumpOTelCollector library function, leading to arbitrary file writes that could overwrite sensitive files such as shell configurations, SSH keys, kubeconfig, or crontab entries. The default ReadWriteMany PVC access mode further exacerbates the issue by allowing any pod in the cluster to inject malicious payloads.

Impact

Exploitation of this vulnerability allows for arbitrary file writes on the machine running the extractor. This could include overwriting shell configuration files to achieve remote code execution on the next login, appending SSH keys for persistent access, hijacking Kubernetes cluster access by modifying the kubeconfig file, or adding entries to crontabs for scheduled execution of malicious tasks.

Reproduction

To reproduce this vulnerability, deploy the CTFer.io Monitoring stack with the Cold Extract feature enabled. This will initiate the collection of OTEL telemetry data. Next, upload a crafted tar file containing path traversal entries into the shared PVC used by the OTEL Collector. After that, run the extractor tool, specifying the namespace, PVC name, and output directory. The extractor will process the tar file, and the malicious entries will be written outside the intended directory, demonstrating the path traversal vulnerability.

Remediation

Users can update to CTFer.io Monitoring version 0.2.2 or later, where this vulnerability has been fixed.