-
Notifications
You must be signed in to change notification settings - Fork 494
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Vulnerability] Arbitrary File Write leading to Remote Code Execution (RCE) #467
Comments
Would be really appreciated to check on this issue immediately.. |
FYI I have found the resolve-path module useful to fix this type of vulnerability. |
CVE assigned for this bug I guess CVE-2024-27448 |
The exploit gist is here as for the reference: https://gist.github.com/stypr/fe2003f00959f7e3d92ab9d5260433f8 |
We (The organizing members of the international cybersecurity competition CODEGATE - https://codegate2023.org/) have found a vulnerability that could possibly overwrite any files by sending a malicious e-mail to port 1025.
This vulnerability could possibly force-write existing sourcecodes and could completely takeover the server.
Explanation
maildev/lib/mailserver.js
Lines 92 to 100 in 357a20e
There is no path sanitization done when files are sent with a malicious
contentId
. This means, it is possible to do a path traversal to access the parent directory and overwrite any files.For example, when a mail with the following content is sent to a server in port 1025,
lib/routes.js
will be overwritten and the malicious code will start to be affected from next restart of the process. There is no user interaction required to achieve this attack.The following mail content was tested on the latest Docker instance (
soulteary/maildev:latest
) and was found to be exploitable.content of the encoded base64 content
The text was updated successfully, but these errors were encountered: