charm.land/wish SCP Path Traversal Vulnerability
The charm.land/wish/v2 and github.com/charmbracelet/wish libraries are vulnerable to path traversal attacks via the SCP protocol, allowing malicious clients to read or write arbitrary files, create directories outside the configured root, and enumerate files, potentially leading to remote code execution or data exfiltration.
The charm.land/wish/v2 and github.com/charmbracelet/wish libraries are susceptible to path traversal vulnerabilities within their SCP middleware. This flaw allows an attacker to bypass intended directory restrictions and access files and directories outside the designated root. Specifically, versions of charm.land/wish/v2 up to commit 72d67e6 and likely all v1 versions of github.com/charmbracelet/wish are affected due to insufficient input validation in the fileSystemHandler.prefixed() method. An authenticated SSH user, or potentially an unauthenticated user in default configurations, can exploit this to read sensitive files, write malicious files to arbitrary locations, create directories, and enumerate files outside the intended root directory, ultimately risking remote code execution and data breaches.
Attack Chain
- An attacker establishes an SSH connection to a vulnerable server.
- The attacker initiates an SCP session, either to upload (
scp -t) or download (scp -f) files. - If uploading files, the attacker crafts SCP protocol messages containing filenames with
../sequences to traverse directories outside the intended root. The vulnerable regexesreNewFileandreNewFolderare exploited. - If downloading files, the attacker specifies a file path containing
../sequences as an argument to thescpcommand, such asscp user@host:../../../etc/passwd. - The
fileSystemHandler.prefixed()method fails to properly sanitize the path, resulting in a path outside the configured root directory. - The attacker reads arbitrary files on the server if the SCP session was initiated with the
-fflag and a crafted filepath. - The attacker writes arbitrary files to the server if the SCP session was initiated with the
-tflag and a crafted filename, by exploiting the flawed logic inscp/copy_from_client.go. - Successful exploitation can lead to remote code execution by overwriting critical system files or data exfiltration by reading sensitive information.
Impact
Successful exploitation of this path traversal vulnerability allows an authenticated SSH user (or unauthenticated in default configurations) to perform critical actions. This includes writing arbitrary files, enabling remote code execution via cron jobs, SSH authorized_keys, shell profiles, or systemd units, leading to full system compromise. Attackers can also read arbitrary files accessible to the server process, such as /etc/shadow, private keys, database credentials, and application secrets, causing sensitive data exposure. The creation of arbitrary directories and the enumeration of files outside the root directory further expand the attacker's control and reconnaissance capabilities.
Recommendation
- Apply the provided remediation to the
prefixed()function to enforce root containment, ensuring that all paths resolve within the intended directory. Specifically, implement the correctedprefixed()function to sanitize the input path (reference: Remediation section in the content). - Implement filename sanitization in
copy_from_client.goto reject filenames containing path separators or..components during file uploads (reference: Remediation section in the content). - Deploy the Sigma rule "Detect SCP Path Traversal via Filename" to identify attempts to exploit the vulnerability by detecting suspicious filenames during SCP file transfers.
- Deploy the Sigma rule "Detect SCP Path Traversal via Filepath" to identify attempts to exploit the vulnerability by detecting suspicious filepaths during SCP file downloads.
Detection coverage 2
Detect SCP Path Traversal via Filename
highDetects attempts to exploit path traversal vulnerabilities in SCP servers by identifying filenames containing '..' sequences or path separators during file uploads.
Detect SCP Path Traversal via Filepath
highDetects attempts to exploit path traversal vulnerabilities in SCP servers by identifying filepaths containing '..' sequences used during file downloads.
Detection queries are available on the platform. Get full rules →