License Portal
Deutsch

CVE-2024-22851 - Unauthenticated Path Traversal

Created: 2024-01-30

Overview

During a security audit for a LiveConfig customer, Raphael Kuhn from DriveByte GmbH discovered a so-called Unauthenticated Path Traversal vulnerability in LiveConfig up to version 2.5.1.

Cause

By calling a specially crafted path name, it was possible to access files on the server with the permissions of the LiveConfig user (liveconfig). The cause was an incorrect check for the base directory permitted in the affected use case.

Risk

The web server component integrated in LiveConfig runs with the permissions of the user liveconfig. This means that all files for which the user liveconfig is authorized can be read on the server side. It was not possible to access the contents of webspace accounts or other users, not even the license key (liveconfig.key) and the TLS certificate (sslcert.pem) of LiveConfig.

If LiveConfig was operated with the default SQLite database, it was also possible to read this through a targeted attack. The database could contain customer contact data (depending on what was captured). However, all particularly sensitive data (passwords, private keys, TLS certificates, etc.) are stored there in a heavily hashed (PBKDF2) or encrypted (AES) format. Passwords that are no longer required (e.g. after the successful creation of accounts) are immediately deleted from the database by LiveConfig.

In the (in our estimation) “worst case”, it would therefore be possible to read the hosted domain names, user names (LiveConfig, FTP, etc.) and, if applicable, contact data (information disclosure).

If MySQL was used as database backend, no access to this information was possible: the configuration file /etc/liveconfig/liveconfig.conf with the MySQL access data cannot be read by the liveconfig user.

LiveConfig was affected up to and including version 2.5.1. With version 2.5.2 (28.11.2017), the faulty component was replaced, meaning that this security vulnerability could no longer be exploited. The bug can therefore be considered “fixed” for over six years.

DriveByte has calculated a CVSS score 4.0 of 7.7 (High): CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:P.

Analysis

The following grep calls can be used to check whether the corresponding accesses have been successful:

cd /var/log/liveconfig
grep '/\.\./' access.log access.log.1 | grep '" 200'
zgrep '/\.\./' access.log*.gz | grep '" 200'

Conclusion

This error shows how important it is to always keep servers up to date. Although the vulnerability came to light by chance (the system under investigation was actually running LiveConfig 2.2.x), it is thanks to DriveByte’s diligence and experience that this vulnerability was discovered there.

Following the report, we analyzed the affected code and similar components, but were unable to identify any further comparable vulnerabilities.

Nevertheless, we consider it appropriate to issue a security warning in case such extremely outdated server installations are still publicly accessible somewhere else. We will also increase our efforts to ensure that users who are not logged in cannot find out the exact LiveConfig version in order to make it more difficult to crawl for specific LiveConfig versions.

Acknowledgments

We would like to thank Mr. Raphael Kuhn (DriveByte GmbH) for responsibly disclosing the discovered security issue and for the friendly and open communication.

  • reported: 11/06/2023 09:50 GMT+1
  • analyzed: 11/06/2023 11:40 GMT+1
  • published: 01/30/2024
  • fixed: 11/28/2017 (commit 584a11418)
  • affected versions: up to v2.5.1