CVE-2024-41922
A directory traversal vulnerability exists in the log files download functionality of Veertu Anka Build 1.42.0. A specially crafted HTTP request can lead to a disclosure of sensitive information. An attacker can make an unauthenticated HTTP request to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Veertu Anka Build 1.42.0
Anka Build - https://veertu.com/download-anka-build/
7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
Anka Build is a suite of software tools designed for macOS virtualization, specifically for testing macOS or iOS applications in CI/CD environments. The suite comprises three main components: Controller, Registry, and Nodes. Anka Build Controller is centralized dashboard for managing nodes, VM instances, templates, tags, and logs. Anka Build Registry serves as the central repository for macOS VM templates and tags, facilitating easy access and version control. Anka Build Nodes are macOS hosts that run on-demand VM instances.
The default installation of the Controller LaunchDaemon runs on the port 80 and the Registry LaunchDaemon runs on the port 8089.
A directory traversal vulnerability exists in the Anka Build Controller and Registry LaunchDaemons. This vulnerability is triggered when an HTTP GET request is sent to the controller URI /api/v1/registry/log
or to the Registry URI /log
. Both requests ultimately invoke the veertu.com/veertu/registry/log_server.(*LogServer).HandleLogOutput
method within the anka-registry
binary. The decompiled code for the veertu.com/veertu/registry/log_server.(*LogServer).HandleLogOutput
method is as follows:
a2 = (unsigned int *)http_responsewriter.tab;
v4 = net_url__ptr_URL_Query(x3_0->URL);
service_param.ptr = (char *)&service;
service_param.len = 7LL;
service_value = net_url_Values_Get(v4, service_param); //<------------------- (1)
if ( service_value.len )
{
v32.data = a2_8;
v32.tab = a2;
veertu_com_veertu_registry_log_server__ptr_LogServer_streamLog(a1, v32, a3, service_value); //<------------------- (2)
}
At (1)
, the service
parameter value is obtained from the URL. At (2)
, veertu.com/veertu/registry/log_server.(*LogServer).streamLog
method is called. This method, in turn, calls veertu.com/veertu/registry/backend/disklogserver.(*Backend).TailServiceLog
. The decompile code of veertu.com/veertu/registry/backend/disklogserver.(*Backend).TailServiceLog
is as follows:
while ( (unsigned __int64)&v12 <= *(_QWORD *)(v3 + 16) )
{
v19 = a1;
ptr = service_value.ptr;
len = service_value.len;
runtime_morestack_noctxt(a1, service_value.ptr, service_value.len);
a1 = v19;
service_value.ptr = ptr;
service_value.len = len;
}
LogFilePath = veertu_com_veertu_registry_backend_disklogserver__ptr_Backend_getLogFilePath(a1, service_value); //<---------------- (3)
if ( LogFilePath.1.tab )
{
LogFilePath.0.ptr = 0LL;
LogFilePath.0.len = (size_t)LogFilePath.1.tab;
LogFilePath.1.tab = LogFilePath.1.data;
}
[...]
v4 = os_Stat(LogFilePath.0.ptr, LogFilePath.0.len);
filesize = (*(__int64 (__golang **)(__int64))(v4 + 56))(v5);
v6 = runtime_newobject(&type_ZLVnh7lF);
if ( filesize - 0x100000 > 0 )
*v6 = filesize - 0x100000;
LogFilePath.0.ptr = (char *)github_com_hpcloud_tail_TailFile(
v18,
v11,
v6,
1LL,
1LL,
1LL,
0LL,
0LL,
(unsigned __int8)v12,
v13,
v14,
v15); //<---------------(4)
At (3)
, the TailServiceLog
method invokes the veertu.com/veertu/registry/backend/disklogserver.(*Backend).getLogFilePath
method. In getLogFilePath
, the value of the service
parameter is appended to the log directory path without any validation for directory traversal characters such as dot-dot-slash (../). Subsequently, the extension .log
is added to the new path. This log path is returned by getLogFilePath
and assigned to the LogFilePath
variable.
At (4)
, the github.com/hpcloud/tail.TailFile
method is called, which emulates the BSD tail
program, displaying the last part of the file returned by the getLogFilePath
method.
Here, the service
HTTP Parameter is vulnerable to path traversal. By utilizing dot-dot-slash (../)
sequences or their variations, it may be possible to access and download arbitrary log files from the system where the Registry LaunchDaemon
is installed.
Fixed in 1.43.0 of the Anka Build Cloud.
2024-08-12 - Vendor Disclosure
2024-08-12 - Initial Vendor Contact
2024-09-30 - Vendor Patch Release
2024-10-03 - Public Release
Discovered by KPC of Cisco Talos.