| Reported by | Sayan Nandan <ohsayan@outlook.com> |
|---|---|
| CVE | CVE-2021-32814 |
| Reported on | Feb 14, 2021 0530 UTC |
| Patch Release Date | Feb 15 2021, 0539 UTC |
| Public Disclosure Date | Feb 17 2021, 0715 UTC |
| Affected versions | 0.5.0 |
| Affected binaries | server (tdb) |
| Patched binary link | https://dl.skytable.io/v0.5-hotfix.1 |
| Attack type | Directory Traversal |
| Impact | (1) Loss of data |
| Attack vectors | Remote access to the database server |
| Procedure |
Run the 'enhanced' MKSNAP action by using directory
traversal syntax.If Person A is running the database server on system S and the database port (say port X) is not blocked from outside access, then Person B can connect to the database server running on S. Now they can run the action MKSNAP with directory traversal syntax to overwrite
and/or destroy files in the path. For example, if Person B
runs:MKSNAP ../../../../badthen the database server will attempt to create a snapshot of the database with a file path of remote/../../../../bad.snapshot which in practice can point to the root (`/`) directory.
If this file does indeed exist, then its contents can be overwritten if appropriate permissions
aren't set, also making it possible to overwrite critical system files that
have the same name, if appropriate permissions aren't set.
|
| Erroneous logic | At release 0.5.0, the file path for the snapshot was simply generated by appending a '.snapshot' string. The path was not sanitized. |
| Mitigation | The file path simply needs to be sanitized to check for directory traversal syntax |
| Public patch commit | 30532bb462596ebebd10704a0d8bfd27770aa756 |