Path-Traversal -> Arbitrary File Write in Assemblyline Service Client
IMPORTANT: This vulnerability is valid if you decide to use the assemblyline-service-client outside of the normal practice to using Assemblyline in a production environment. In practice, this code should always be executed within a containerized environment such as assemblyline-v4-service which ensures filesystem-level permissions of what the running user is allowed to access. Furthermore, there is fewer chances for a MiTM compromise when deployed properly in a Docker or Kubernetes deployment where the platform will assign the correct network policies to secure connections between containers instead of relying on the user to set this up manually.
See CybercentreCanada/assemblyline#382 for further discussion.
1. Summary
The Assemblyline 4 service client (task_handler.py) accepts a SHA-256 value returned by the service server and uses it directly as a local file name.
No validation / sanitisation is performed.
A malicious or compromised server (or any MITM that can speak to client) can return a path-traversal payload such as
../../../etc/cron.d/evil
and force the client to write the downloaded bytes to an arbitrary location on disk.
2. Affected Versions
3. CVSS 3.1 Vector & Score
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
4. Technical Details
| Field |
Content |
| Location |
assemblyline_service_client/task_handler.py, inside download_file() |
| Vulnerable Line |
file_path = os.path.join(self.tasking_dir, sha256) |
| Root Cause |
The sha256 string is taken directly from the service-server JSON response and used as a file name without any validation or sanitisation. |
| Exploit Flow |
1. Attacker (service server) returns HTTP 200 for GET /api/v1/file/../../../etc/cron.d/evil.
2. Client writes the response body to /etc/cron.d/evil.
3. Achieves arbitrary file write (code execution if file is executable). |
5. Impact
- Integrity – Overwrite any file writable by the service UID (often root).
- Availability – Corrupt critical files or exhaust disk space.
- Code Execution – Drop cron jobs, systemd units, or overwrite binaries.
6. Mitigation / Fix
import re
_SHA256_RE = re.compile(r'^[0-9a-fA-F]{64}\Z')
def download_file(self, sha256: str, sid: str) -> Optional[str]:
if not _SHA256_RE.fullmatch(sha256):
self.log.error(f"[{sid}] Invalid SHA256: {sha256}")
self.status = STATUSES.ERROR_FOUND
return None
# or your preferred way to check if a string is a shasum.
References
serexp Reporter
Path-Traversal -> Arbitrary File Write in Assemblyline Service Client
IMPORTANT: This vulnerability is valid if you decide to use the assemblyline-service-client outside of the normal practice to using Assemblyline in a production environment. In practice, this code should always be executed within a containerized environment such as assemblyline-v4-service which ensures filesystem-level permissions of what the running user is allowed to access. Furthermore, there is fewer chances for a MiTM compromise when deployed properly in a Docker or Kubernetes deployment where the platform will assign the correct network policies to secure connections between containers instead of relying on the user to set this up manually.
See CybercentreCanada/assemblyline#382 for further discussion.
1. Summary
The Assemblyline 4 service client (
task_handler.py) accepts a SHA-256 value returned by the service server and uses it directly as a local file name.A malicious or compromised server (or any MITM that can speak to client) can return a path-traversal payload such as
../../../etc/cron.d/eviland force the client to write the downloaded bytes to an arbitrary location on disk.
2. Affected Versions
assemblyline-service-client3. CVSS 3.1 Vector & Score
4. Technical Details
assemblyline_service_client/task_handler.py, insidedownload_file()file_path = os.path.join(self.tasking_dir, sha256)sha256string is taken directly from the service-server JSON response and used as a file name without any validation or sanitisation.GET /api/v1/file/../../../etc/cron.d/evil.2. Client writes the response body to
/etc/cron.d/evil.3. Achieves arbitrary file write (code execution if file is executable).
5. Impact
6. Mitigation / Fix
References