Attack Chain

1. An attacker sends a POST request to the /scan endpoint of the dalfox REST API server.
2. The request body contains a JSON object with the url field set to the scan target and the options field containing attacker-controlled values for output, output-all, and debug.
3. The postScanHandler function binds the JSON request body to a Req struct, which includes the Options field of type model.Options.
4. The ScanFromAPI function is called with the attacker-supplied URL and Options values.
5. The Initialize function copies the attacker-controlled OutputFile, OutputAll, and Debug values from the Options struct into a new newOptions struct.
6. The DalLog function is called to write log messages. Critically, the file write operation using os.OpenFile(options.OutputFile, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644) occurs outside the IsLibrary check.
7. The attacker-specified file path is opened in append mode, and log messages are written to it. The URL parameter is also written verbatim in the logs, allowing partial content control.
8. The attacker achieves arbitrary file creation or append on the dalfox host, leading to potential system compromise.

Impact

Successful exploitation allows an attacker to create new files or append data to existing files on the dalfox host, provided the dalfox process has the necessary write permissions. This can lead to various impacts, including: arbitrary file creation (e.g., creating web shells in web-serving directories), arbitrary file append/corruption (e.g., corrupting application configuration files or cron entries), and potential remote code execution if the attacker can inject malicious content into a configuration file or script that is subsequently executed. The lack of authentication by default increases the severity, as any network-accessible dalfox instance is vulnerable.

Recommendation

• Deploy the Sigma rule Detect Dalfox Unauthenticated File Write Attempt to identify attempts to exploit this vulnerability by monitoring for POST requests to the /scan endpoint with suspicious output parameters.
• Apply the recommended remediation by nullifying filesystem-dangerous fields from API-sourced requests in the postScanHandler function as outlined in the advisory. This includes setting rq.Options.OutputFile = "" before calling ScanFromAPI.
• As a defense-in-depth measure, guard the file write operation with IsLibrary in the DalLog function, ensuring that file writes only occur in non-library (CLI) mode.
• Enforce the use of the --api-key option at server startup, making authentication mandatory for the REST API server.
• Upgrade to a patched version of dalfox that incorporates these security fixes.