Re: NNCP path traversal attack.

public inbox for nncp-devel@lists.stargrave.org
Atom feed

From: John Goerzen <jgoerzen@complete•org>
To: Eugene Medvedev <rn3aoh.g@gmail•com>
Cc: nncp-devel@lists.cypherpunks.su
Subject: Re: NNCP path traversal attack.
Date: Fri, 19 Sep 2025 07:04:56 -0500	[thread overview]
Message-ID: <87plbmir6f.fsf@complete.org> (raw)
In-Reply-To: <CAO-d-4p-xZjB=zAri=y-H-KPziVYGwnC70zKQ8vsEHzJTvDGsg@mail.gmail.com> (Eugene Medvedev's message of "Fri, 19 Sep 2025 07:46:20 +0300")

On symlinks:

One can at least test if the resulting path is a symlink, and refuse to
process it if so.  That may possibly have a race condition with other
things on the system, but since nncp-toss is single-threaded, probably
not there.

One vulnerability could be if incoming and freq are the same path.  I'm
not sure if nncp-file will pack up symlinks when asked to send an entire
directory; if so, that could be an issue.  But I suspect that most of
the time, if somebody is using both freq and incoming, they'd be
separate directories.

On Fri, Sep 19 2025, Eugene Medvedev wrote:

> As it currently stands, NNCP is vulnerable to path traversal attacks with
> freq and file functions: Despite the requirement for both to supply full path
> in configuration, both types of packets will accept and act upon paths
> containing
> "..". Most obviously, this allows one to request any file NNCP has access to,
> like its own configuration file with the private keys in it.
> Likewise, a sent file can break out of the incoming directory in the same manner
> and be written anywhere on the system that the user can write to.
>
> The included patch is my take on dealing with this by by limiting path
> traversal to
> below the configured full path. It does nothing about, e.g., symlinks,
> and I'm not sure anything should be done about those.
>
> I can't claim to understand the codebase sufficiently to have caught
> all the ways
> this can happen, however.

next prev parent reply	other threads:[~2025-09-19 12:39 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-09-19  4:46 NNCP path traversal attack Eugene Medvedev
2025-09-19  6:28 ` Jonathan Lane
2025-09-19  6:43   ` Eugene Medvedev
2025-09-19 12:02 ` John Goerzen
2025-09-19 12:11   ` Eugene Medvedev
2025-09-19 12:04 ` John Goerzen [this message]
2025-09-19 12:31   ` Eugene Medvedev
2025-09-19 13:25 ` Sergey Matveev
2025-09-19 13:30   ` Eugene Medvedev