SecureDrop Client Path Traversal Vulnerability Leading to Code Execution

A path traversal vulnerability allowing absolute paths in gzip headers has been identified in SecureDrop Client versions through 0.17.2. This flaw can be exploited by a compromised SecureDrop Server to execute code on the Client's virtual machine by overwriting critical files, such as the SQLite database. The vulnerability arises from improper validation of filenames in gzip archives, enabling the execution of malicious payloads. Exploitation requires prior compromise of the SecureDrop Server, which is only accessible via Tor hidden services.

Impact

Successful exploitation allows for arbitrary code execution on the SecureDrop Client's virtual machine, with the potential to overwrite important files like the SQLite database, disrupting the application's functionality and integrity.

Reproduction

To reproduce this vulnerability, a gzip file must be crafted with an absolute path in the header filename. This file can then be sent to the SecureDrop Client application, which will decompress the archive without properly filtering out the absolute path. The extracted file can overwrite critical application data, such as the SQLite database, leading to code execution on the virtual machine.

Remediation

Users can upgrade to SecureDrop Client version 0.17.5, which addresses the vulnerability by properly validating filenames to prevent path traversal and the use of absolute paths.