A deployment automation tool used Python's os.path.join() to sandbox script execution within a designated build directory. Because os.path.join() discards all previous path components when given an absolute path, an attacker could inject an absolute path via the web dashboard to bypass the sandbox entirely and execute arbitrary scripts on the host OS. The exploit involved dropping a payload at /tmp/, then supplying that absolute path as the deployment hook. Even running as a non-root service user, the impact includes cloud credential theft via IMDS, supply chain attacks through future builds, and secrets exfiltration. The fix requires validating the resolved path with os.path.abspath() to confirm it still resides within the intended base directory.

β€’4m read timeβ€’From infosecwriteups.com
Post cover image
Table of contents
πŸ—οΈ The Target: An Enterprise Deployment EngineπŸ› The Vulnerability: The os.path.join Trapβš”οΈ The Exploit: Weaponizing the Logic FlawGet Hacker MD ’s stories in your inboxThe Impact: Why This is CriticalπŸ›‘οΈ Remediation: How to Fix It🎯 Conclusion

Sort: