CVE-2023-35844: Arbitrary File Read in Lightdash

Jun 19 2023 - 3 mins

Summary

Lightdash version <= 0.506.4 is vulnerable to a path traversal attack, allowing an attacker to access arbitrary files on the server. This vulnerability can be exploited by appending directory traversal sequences to the image ID parameter of the Slack image endpoint, enabling the attacker to bypass access controls and read sensitive files on the server.

Description

The Slack image endpoint is designed to serve images that have been uploaded to Slack and subsequently saved on the Lightdash server. The endpoint takes an image ID as a parameter and returns the corresponding image file. The vulnerability lies in the way the server handles the image ID parameter, which is not properly sanitized or validated.

Details

Slack Router

File /packages/backend/src/routers/slackRouter.ts:66-71:

slackRouter.get(
    '/image/:imageId',

    async (req, res, next) => {
            // ...
            const filePath = path.join('/tmp', req.params.imageId);
            if (!fs.existsSync(filePath)) {
                const error = `This file ${req.params.imageId} doesn't exist on this server, this may be happening if you are running multiple containers or because files are not persisted. You can check out our docs to learn more on how to enable cloud storage: https://docs.lightdash.com/self-host/customize-deployment/configure-lightdash-to-use-external-object-storage`;
                throw new NotFoundError(error);
            }
            res.sendFile(filePath);
            // ...
    },
);

When a request is made to the /image/:imageId endpoint, the server constructs a file path by appending the imageId parameter to the /tmp directory. This file path is used to locate and serve the corresponding image file. However, the server does not properly sanitize or validate the imageId parameter, making it susceptible to attacks.

In the event that the constructed file path does not exist on the server, an error message is thrown, indicating that the requested file does not exist. This error message provides information that could aid an attacker in understanding the server’s configuration and potential vulnerabilities.

Proof of Concept

To exploit the vulnerability, an attacker can utilize a curl command to send a malicious request to the server. The following command demonstrates the proof of concept:

curl "https://localhost/api/v1/slack/image/slack-image%2F..%2F..%2F..%2Fetc%2Fpasswd"

In that command, the attacker manipulates the imageId parameter by appending %2F..%2F..%2F..%2Fetc%2Fpasswd. This string is URL-encoded and represents a traversal sequence (../) that allows the attacker to navigate outside the intended directory structure.

By exploiting this traversal vulnerability, the attacker can traverse multiple directories and access the /etc/passwd file.

Impact

This vulnerability allows an unauthenticated attacker to access sensitive files on the server, leading to potential information disclosure.

Timeline

12 Apr 2023: Vulnerability reported thru huntr.dev platform.
14 Apr 2023: The huntr team contacted lightdash team.
15 Apr 2023: Silent fix rolled out at version 0.510.3.
03 Jun 2023: Request a CVE ID to MITRE CNA.
19 Jun 2023: CVE-2023-35844 was assigned.
19 Jun 2023: Advisory published.