{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/wish/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Wish"],"_cs_severities":["critical"],"_cs_tags":["path-traversal","scp","charmbracelet","wish"],"_cs_type":"advisory","_cs_vendors":["Charm"],"content_html":"\u003cp\u003eThe \u003ccode\u003echarm.land/wish/v2\u003c/code\u003e and \u003ccode\u003egithub.com/charmbracelet/wish\u003c/code\u003e libraries are susceptible to path traversal vulnerabilities within their SCP middleware. This flaw allows an attacker to bypass intended directory restrictions and access files and directories outside the designated root. Specifically, versions of \u003ccode\u003echarm.land/wish/v2\u003c/code\u003e up to commit \u003ccode\u003e72d67e6\u003c/code\u003e and likely all v1 versions of \u003ccode\u003egithub.com/charmbracelet/wish\u003c/code\u003e are affected due to insufficient input validation in the \u003ccode\u003efileSystemHandler.prefixed()\u003c/code\u003e method. An authenticated SSH user, or potentially an unauthenticated user in default configurations, can exploit this to read sensitive files, write malicious files to arbitrary locations, create directories, and enumerate files outside the intended root directory, ultimately risking remote code execution and data breaches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker establishes an SSH connection to a vulnerable server.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates an SCP session, either to upload (\u003ccode\u003escp -t\u003c/code\u003e) or download (\u003ccode\u003escp -f\u003c/code\u003e) files.\u003c/li\u003e\n\u003cli\u003eIf uploading files, the attacker crafts SCP protocol messages containing filenames with \u003ccode\u003e../\u003c/code\u003e sequences to traverse directories outside the intended root. The vulnerable regexes \u003ccode\u003ereNewFile\u003c/code\u003e and \u003ccode\u003ereNewFolder\u003c/code\u003e are exploited.\u003c/li\u003e\n\u003cli\u003eIf downloading files, the attacker specifies a file path containing \u003ccode\u003e../\u003c/code\u003e sequences as an argument to the \u003ccode\u003escp\u003c/code\u003e command, such as \u003ccode\u003escp user@host:../../../etc/passwd\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efileSystemHandler.prefixed()\u003c/code\u003e method fails to properly sanitize the path, resulting in a path outside the configured root directory.\u003c/li\u003e\n\u003cli\u003eThe attacker reads arbitrary files on the server if the SCP session was initiated with the \u003ccode\u003e-f\u003c/code\u003e flag and a crafted filepath.\u003c/li\u003e\n\u003cli\u003eThe attacker writes arbitrary files to the server if the SCP session was initiated with the \u003ccode\u003e-t\u003c/code\u003e flag and a crafted filename, by exploiting the flawed logic in \u003ccode\u003escp/copy_from_client.go\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation can lead to remote code execution by overwriting critical system files or data exfiltration by reading sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this path traversal vulnerability allows an authenticated SSH user (or unauthenticated in default configurations) to perform critical actions. This includes writing arbitrary files, enabling remote code execution via cron jobs, SSH authorized_keys, shell profiles, or systemd units, leading to full system compromise. Attackers can also read arbitrary files accessible to the server process, such as \u003ccode\u003e/etc/shadow\u003c/code\u003e, private keys, database credentials, and application secrets, causing sensitive data exposure. The creation of arbitrary directories and the enumeration of files outside the root directory further expand the attacker's control and reconnaissance capabilities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the provided remediation to the \u003ccode\u003eprefixed()\u003c/code\u003e function to enforce root containment, ensuring that all paths resolve within the intended directory. Specifically, implement the corrected \u003ccode\u003eprefixed()\u003c/code\u003e function to sanitize the input path (reference: Remediation section in the content).\u003c/li\u003e\n\u003cli\u003eImplement filename sanitization in \u003ccode\u003ecopy_from_client.go\u003c/code\u003e to reject filenames containing path separators or \u003ccode\u003e..\u003c/code\u003e components during file uploads (reference: Remediation section in the content).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect SCP Path Traversal via Filename\u0026quot; to identify attempts to exploit the vulnerability by detecting suspicious filenames during SCP file transfers.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect SCP Path Traversal via Filepath\u0026quot; to identify attempts to exploit the vulnerability by detecting suspicious filepaths during SCP file downloads.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-wish-scp-path-traversal/","summary":"The charm.land/wish/v2 and github.com/charmbracelet/wish libraries are vulnerable to path traversal attacks via the SCP protocol, allowing malicious clients to read or write arbitrary files, create directories outside the configured root, and enumerate files, potentially leading to remote code execution or data exfiltration.","title":"charm.land/wish SCP Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-wish-scp-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed - Wish","version":"https://jsonfeed.org/version/1.1"}