GET request can be leveraged to traverse the directory structure of a host using the lactate web server package, and request arbitrary files outside of the specified web root. This allows for a remote attacker to gain access to arbitrary files on the filesystem that the process has access to read.
Only files that the user running
lactate has permission to read will be accessible via this vulnerability.
Proof of concept:
Please globally install the
lactate package and
cd to a directory you wish to serve assets from. Next, run
lactate -p 8081 to start serving files from this location.
The following cURL request can be used to demonstrate this vulnerability by requesting the target
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin [...]
As there is currently no fix for this issue selecting an alternative static web server would be the best choice.
reportedInitial report by Yasin Soliman (ysx)Jan 23rd, 2018
publishedAdvisory publishedJan 23rd, 2018