Microsoft UFO Path Traversal Vulnerability Allowing Log File Creation Outside Intended Directory

A path traversal vulnerability has been identified in the Microsoft UFO open-source framework, specifically in version 3.0.1-4-ge2626659. The issue arises because the framework directly uses the user-controlled 'task_name' value to construct session log paths, without proper sanitization. This allows authenticated clients to manipulate 'task_name' with path traversal sequences, causing UFO to create log directories and files outside the designated 'logs/' directory. The vulnerability can be exploited by sending crafted 'task_name' values through authenticated WebSocket or HTTP task requests, which are then processed by the UFO server. The server's session management system fails to validate or normalize these task names before using them to generate filesystem paths, leading to unauthorized file creation and log writes at locations influenced by the attacker, under the privileges of the UFO server process.

Impact

Exploitation of this vulnerability allows authenticated users to create log files and directories outside the intended 'logs/' directory, potentially overwriting existing files if the service account has write permissions. This behavior could disrupt normal operations and undermine the reliability of UFO's logging system.

Reproduction

The vulnerability can be reproduced by sending an authenticated task request via WebSocket or HTTP with a 'task_name' that includes path traversal sequences, such as '../'. This will cause the UFO server to create log files in a directory that escapes the intended 'logs/' root.

Remediation

To address this vulnerability, it is recommended to implement proper validation and sanitization of the 'task_name' values before they are used to create log paths. This includes rejecting names that contain path separators, traversal sequences, or absolute paths. Additionally, UFO should generate opaque directory names for log storage that are not user-controlled, and ensure that all log file creations are confined to safe, intended locations.