RTGS2017 NagaAgent Path Traversal Vulnerability in Skills Endpoint

A path traversal vulnerability has been identified in RTGS2017 NagaAgent versions through 5.1.0. The issue arises in the Skills Endpoint, specifically within the file apiserver/routes/extensions.py. The vulnerability allows for remote exploitation by manipulating the 'name' argument, which is not properly sanitized before being used to create or delete directories under the skill storage roots. This lack of validation enables crafted names to traverse directories and potentially write or delete files outside the intended scope.

Impact

Exploitation of this vulnerability allows for arbitrary directory creation or deletion, depending on the API endpoint used. This could lead to unauthorized modification of the application's filesystem, including the removal of critical application data.

Reproduction

The vulnerability can be reproduced by sending a POST request to '/skills/import' with a crafted 'name' parameter that includes path traversal sequences. This will create a directory outside the intended skill directory. Alternatively, the DELETE '/skills/{name}' endpoint can be used to delete arbitrarily specified directories, including those created through the import endpoint.

Remediation

As of now, no official patch is available. However, it is recommended to treat skill names as identifiers rather than paths, rejecting names that include path separators or traversal sequences. Implementing proper authorization checks on skill management endpoints and running the application with limited filesystem permissions can also help mitigate the risk.