{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/apm-cli/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["apm-cli"],"_cs_severities":["high"],"_cs_tags":["path-traversal","supply-chain","apm-cli"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe Microsoft APM CLI is vulnerable to a path traversal vulnerability in versions 0.8.11 and earlier. This vulnerability arises during the installation of marketplace plugins, where the CLI normalizes plugins by copying components referenced in the \u003ccode\u003eplugin.json\u003c/code\u003e file. The \u003ccode\u003eagents\u003c/code\u003e, \u003ccode\u003eskills\u003c/code\u003e, \u003ccode\u003ecommands\u003c/code\u003e, and \u003ccode\u003ehooks\u003c/code\u003e fields in \u003ccode\u003eplugin.json\u003c/code\u003e are attacker-controlled. However, the implementation fails to validate that these paths remain within the plugin directory. Consequently, a malicious plugin can exploit this by using absolute paths or \u003ccode\u003e../\u003c/code\u003e traversal paths to copy arbitrary, readable host files or directories from the installer\u0026rsquo;s machine during the \u003ccode\u003eapm install\u003c/code\u003e process. This allows attackers to stage local files into repository-controlled paths, potentially leading to the exposure of sensitive information.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious APM plugin with a \u003ccode\u003eplugin.json\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eplugin.json\u003c/code\u003e file contains crafted paths within the \u003ccode\u003ecommands\u003c/code\u003e field pointing to sensitive host files using absolute paths or relative path traversal (e.g., \u003ccode\u003ecommands: \u0026quot;D:\\\\absolute\\\\path\\\\to\\\\victim\\\\secret.md\u0026quot;\u003c/code\u003e or \u003ccode\u003ecommands: \u0026quot;../../../secret.md\u0026quot;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eA user executes the \u003ccode\u003eapm install\u003c/code\u003e command, referencing the malicious plugin either locally or remotely.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003enormalize_plugin_directory\u003c/code\u003e function in \u003ccode\u003esrc/apm_cli/commands/install.py\u003c/code\u003e processes the plugin.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e_resolve_sources()\u003c/code\u003e function in \u003ccode\u003esrc/apm_cli/deps/plugin_parser.py\u003c/code\u003e resolves the component paths specified in \u003ccode\u003eplugin.json\u003c/code\u003e without proper validation.\u003c/li\u003e\n\u003cli\u003eThe APM CLI copies the files pointed to by the malicious paths into the \u003ccode\u003e.apm/\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eIf the copied files are recognized as prompt files (e.g., end with \u003ccode\u003e.prompt.md\u003c/code\u003e), they are integrated into the \u003ccode\u003e.github/prompts/\u003c/code\u003e directory of the project via \u003ccode\u003eprompt_integrator.py\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to sensitive information from the copied files, which may then be committed and synced.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to read arbitrary files from the victim\u0026rsquo;s machine during the installation of a malicious APM plugin. This can lead to the disclosure of sensitive information, such as local notes, markdown files, source code, or configuration files. The copied files can be automatically written into \u003ccode\u003e.github/prompts/\u003c/code\u003e, increasing the likelihood that sensitive or attacker-selected content is committed, synced, or consumed by other tooling. The issue breaks the expected trust boundary that a dependency install should copy only content belonging to the dependency itself.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;APM CLI Plugin Install Path Traversal - Absolute Path\u0026rdquo; Sigma rule to detect attempts to use absolute paths in \u003ccode\u003eplugin.json\u003c/code\u003e configurations, which can be indicative of malicious plugin activity.\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026ldquo;APM CLI Plugin Install Path Traversal - Relative Path\u0026rdquo; Sigma rule to detect attempts to use relative paths with traversal sequences in \u003ccode\u003eplugin.json\u003c/code\u003e configurations.\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of \u003ccode\u003eapm-cli\u003c/code\u003e that includes the recommended fix of resolving manifest-controlled component paths against \u003ccode\u003eplugin_path.resolve()\u003c/code\u003e, rejecting absolute or relative paths that escape the plugin root.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring on the \u003ccode\u003e.apm/\u003c/code\u003e directory to detect unauthorized file modifications or additions, using file_event logging.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-apm-cli-path-traversal/","summary":"Microsoft APM CLI version 0.8.11 and earlier are vulnerable to path traversal, allowing a malicious plugin to copy arbitrary readable host files during installation by manipulating paths in the plugin.json file.","title":"Microsoft APM CLI Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-apm-cli-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — Apm-Cli","version":"https://jsonfeed.org/version/1.1"}