{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/evolver/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["@evomap/evolver"],"_cs_severities":["high"],"_cs_tags":["path-traversal","arbitrary-file-write","privilege-escalation","evolver"],"_cs_type":"advisory","_cs_vendors":["@evomap"],"content_html":"\u003cp\u003eThe \u003ccode\u003e@evomap/evolver\u003c/code\u003e package contains a path traversal vulnerability in its \u003ccode\u003efetch\u003c/code\u003e command, specifically affecting versions prior to 1.69.3. This flaw arises from the insufficient validation of user-supplied paths provided via the \u003ccode\u003e--out\u003c/code\u003e flag. By manipulating this flag, attackers can bypass intended directory restrictions and write files to arbitrary locations on the filesystem. This can lead to critical system file modification, potentially leading to privilege escalation and persistent backdoor installation. The vulnerability exists in the \u003ccode\u003eindex.js\u003c/code\u003e file, where the application processes the \u003ccode\u003e--out\u003c/code\u003e flag without proper sanitization before writing files to the specified directory. This is particularly concerning in automated environments like CI/CD pipelines where user input might be indirectly injected into the \u003ccode\u003efetch\u003c/code\u003e command.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains control over the input to the \u003ccode\u003efetch\u003c/code\u003e command, including the \u003ccode\u003e--out\u003c/code\u003e flag.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u003ccode\u003e--out\u003c/code\u003e parameter containing path traversal sequences (e.g., \u003ccode\u003e../../../\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efetch\u003c/code\u003e command in \u003ccode\u003eindex.js\u003c/code\u003e processes the \u003ccode\u003e--out\u003c/code\u003e flag and extracts the user-provided path without validation.\u003c/li\u003e\n\u003cli\u003eThe application attempts to create the directory specified by the manipulated \u003ccode\u003e--out\u003c/code\u003e flag using \u003ccode\u003efs.mkdirSync\u003c/code\u003e with the \u003ccode\u003erecursive\u003c/code\u003e option.\u003c/li\u003e\n\u003cli\u003eThe application writes files (e.g., downloaded skill files) to the directory specified in the \u003ccode\u003e--out\u003c/code\u003e parameter using \u003ccode\u003efs.writeFileSync\u003c/code\u003e, effectively writing to an arbitrary location.\u003c/li\u003e\n\u003cli\u003eIf the attacker has sufficient privileges, they can overwrite critical system files or create new files in sensitive directories like \u003ccode\u003e/etc/cron.d\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the modified files to achieve persistence (e.g., by creating a cron job).\u003c/li\u003e\n\u003cli\u003eThe attacker executes malicious code, gaining unauthorized access or escalating privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to write files to arbitrary locations on the filesystem. This can lead to several critical consequences, including overwriting system configuration files, installing persistent backdoors via cron jobs, modifying SSH authorized_keys for unauthorized access, and potentially achieving privilege escalation if the affected process runs with elevated privileges. The impact is particularly severe in automated environments where this tool is used to deploy code, as it opens the door for supply chain attacks. This issue affects users of \u003ccode\u003e@evomap/evolver\u003c/code\u003e prior to version 1.69.3.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003e@evomap/evolver\u003c/code\u003e package to version 1.69.3 or later to remediate the path traversal vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Evolver Path Traversal Attempt\u003c/code\u003e to identify exploitation attempts based on command-line arguments.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for command-line arguments containing path traversal sequences like \u003ccode\u003e../\u003c/code\u003e when executing \u003ccode\u003enode\u003c/code\u003e or \u003ccode\u003enodejs\u003c/code\u003e related to evolver.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-08-10T12:00:00Z","date_published":"2024-08-10T12:00:00Z","id":"/briefs/2024-08-evolver-path-traversal/","summary":"A path traversal vulnerability exists in the `fetch` command of `@evomap/evolver` due to insufficient validation of the `--out` flag, allowing attackers to write files to arbitrary locations on the filesystem, potentially leading to overwriting critical system files and privilege escalation.","title":"Evolver Path Traversal Vulnerability in `fetch` Command","url":"https://feed.craftedsignal.io/briefs/2024-08-evolver-path-traversal/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["@evomap/evolver"],"_cs_severities":["critical"],"_cs_tags":["command-injection","rce","evolver"],"_cs_type":"advisory","_cs_vendors":["Evomap"],"content_html":"\u003cp\u003eA command injection vulnerability exists in the \u003ccode\u003e_extractLLM()\u003c/code\u003e function within the \u003ccode\u003esrc/gep/signals.js\u003c/code\u003e file of the evolver application, specifically in versions prior to 1.69.3. The vulnerability stems from the function\u0026rsquo;s construction of a \u003ccode\u003ecurl\u003c/code\u003e command via string concatenation, incorporating the \u003ccode\u003ecorpus\u003c/code\u003e parameter without sufficient sanitization. This parameter, derived from user input through the \u003ccode\u003eextractSignals()\u003c/code\u003e function, is susceptible to shell command substitution using the \u003ccode\u003e$(...)\u003c/code\u003e syntax when processed by \u003ccode\u003eexecSync()\u003c/code\u003e. Successful exploitation grants attackers the ability to execute arbitrary shell commands within the context of the Node.js process. This flaw poses a significant risk, potentially leading to full system compromise, data exfiltration, or the installation of malicious software.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious input string containing shell metacharacters (e.g., \u003ccode\u003e$(...)\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThis malicious string is passed as the \u003ccode\u003euserSnippet\u003c/code\u003e parameter to the \u003ccode\u003eextractSignals()\u003c/code\u003e function within \u003ccode\u003esrc/gep/evolver.js\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eextractSignals()\u003c/code\u003e function processes the user snippet and extracts a summary.\u003c/li\u003e\n\u003cli\u003eThe extracted summary, which includes the malicious payload, is passed as the \u003ccode\u003ecorpus\u003c/code\u003e parameter to the vulnerable \u003ccode\u003e_extractLLM()\u003c/code\u003e function in \u003ccode\u003esrc/gep/signals.js\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e_extractLLM()\u003c/code\u003e function constructs a \u003ccode\u003ecurl\u003c/code\u003e command by concatenating strings, embedding the unsanitized \u003ccode\u003ecorpus\u003c/code\u003e parameter within the command string.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecurl\u003c/code\u003e command is executed using \u003ccode\u003eexecSync()\u003c/code\u003e, which interprets the shell metacharacters and executes the injected commands.\u003c/li\u003e\n\u003cli\u003eThe injected commands are executed with the privileges of the Node.js process.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves remote code execution, enabling them to perform actions such as data exfiltration or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the server hosting the evolver application. This can lead to full system compromise, allowing attackers to steal sensitive data, install malware, or pivot to other systems on the network. The vulnerability affects anyone running the evolver with the GEP (Genetic Evolution Protocol) enabled and processing user-provided content. The affected package is npm/@evomap/evolver (vulnerable: \u0026lt; 1.69.3).\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003e@evomap/evolver\u003c/code\u003e package to version 1.69.3 or later to patch the vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Evolver Command Injection Attempt\u0026rdquo; to identify attempts to exploit this vulnerability by detecting shell metacharacters in process execution logs.\u003c/li\u003e\n\u003cli\u003eReview and sanitize all user-provided content before it is processed by the \u003ccode\u003eextractSignals()\u003c/code\u003e and \u003ccode\u003e_extractLLM()\u003c/code\u003e functions.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation to prevent shell metacharacters from reaching the vulnerable code.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T10:00:00Z","date_published":"2024-01-09T10:00:00Z","id":"/briefs/2024-01-09-evolver-rce/","summary":"A command injection vulnerability in the `_extractLLM()` function of the evolver application allows remote attackers to execute arbitrary shell commands by injecting shell metacharacters into the `corpus` parameter, leading to potential system compromise.","title":"Evolver Remote Code Execution via Command Injection in `_extractLLM()`","url":"https://feed.craftedsignal.io/briefs/2024-01-09-evolver-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Evolver","version":"https://jsonfeed.org/version/1.1"}