OpenC3 COSMOS Arbitrary File Write Vulnerability in Tool Configuration Management

A vulnerability exists in OpenC3 COSMOS versions prior to 6.10.5 and 7.0.0-rc3, allowing arbitrary file writes within the shared '/plugins' directory. This issue arises from a design flaw in the 'save_tool_config()' function, where crafted configuration filenames can bypass standard path traversal protections. While the implementation canonicalizes filenames to absolute paths, it fails to restrict writes to specific plugin directories, enabling users to overwrite existing configuration files or create unauthorized file structures. The vulnerability has been addressed in versions 6.10.5 and 7.0.0-rc3.

Impact

Exploitation of this vulnerability allows for arbitrary file writes in the shared plugins directory, potentially overwriting existing configuration files or disrupting plugin functionality.

Reproduction

To reproduce this vulnerability, navigate to a tool that allows configuration saving. Use the 'Save Configuration' option to submit a file name that includes path traversal sequences, such as '../', to escape the intended directory. After saving, check the '/plugins' directory for the newly created files, which can be done by inspecting the Docker container or using the Bucket Explorer.

Remediation

Users should upgrade to OpenC3 COSMOS versions 6.10.5 or 7.0.0-rc3.