Reported by Sayan Nandan <[email protected]>
Reported on Feb 14, 2021 0530 UTC
Patch Release Date Feb 15 2021, 0539 UTC
Public Disclosure Date Feb 17 2021, 0715 UTC
Affected versions 0.5.0
Affected binaries server (tdb)
Patched binary link
Attack type Directory Traversal
Impact Escalation of Privileges
Attack vectors Access to the database server
Procedure Run the 'enhanced' MKSNAP action by using directory traversal syntax.
If Person A is running the database server on system S and the database port (say port X) is not blocked from outside access, then Person B can connect to the database server running on S. Now they can run the action MKSNAP with directory traversal syntax to overwrite and/or destroy files in the path. For example, if Person B runs:
MKSNAP ../bad
then the database server will attempt to create a snapshot of the database with a file path of ../bad.snapshot. If this file does indeed exist, then its contents can be overwritten if appropriate permissions aren't set.
Even worse, Person B can also run:
MKSNAP /var/file
This makes it possible to overwrite critical system files that have the same name, if appropriate permissions aren't set.
Erroneous logic At release 0.5.0, the file path for the snapshot was simply generated by appending a '.snapshot' string. The path was not sanitized.
Mitigation The file path simply needs to be sanitized to check for directory traversal syntax
Public patch commit 30532bb462596ebebd10704a0d8bfd27770aa756