Let's Encrypt Lego Client Path Traversal Vulnerability in Webroot HTTP-01 Challenge Provider Allowing Arbitrary File Write and Deletion

A path traversal vulnerability has been identified in the webroot HTTP-01 challenge provider of the Let's Encrypt client and ACME library written in Go, known as Lego. This vulnerability, present in all versions prior to 4.34.0, allows a malicious ACME server to craft challenge tokens with '../' sequences. When these tokens are processed, Lego can be tricked into writing or deleting files at arbitrary locations accessible by the Lego process. The issue arises because the challenge file path is constructed by directly concatenating the ACME token without proper validation, enabling tokens to traverse directories and manipulate files outside the intended webroot.

Impact

Exploitation of this vulnerability could lead to arbitrary file writing or deletion. Depending on the files targeted, this could result in overwriting critical data such as configuration files or TLS certificates, disrupting application state, or even achieving remote code execution by writing to locations like cron directories or web application directories served by the webroot. If Lego is run as root, the vulnerability could be exploited to gain unrestricted access to the filesystem.

Reproduction

To reproduce this vulnerability, use Lego version 4.34.0 or earlier and direct it to a malicious ACME server that returns crafted challenge tokens containing path traversal sequences. The webroot HTTP-01 challenge provider will write the key authorization to the traversed path without validation, allowing files to be written outside the webroot directory. This vulnerability can also be demonstrated with a simple Go program that calls the webroot provider with a crafted token, confirming the exploitation by checking for the presence of a written file.

Remediation

Users should update to Lego version 4.34.0 or later, where this vulnerability has been fixed.