Impact
In LXD-UI, insufficient input validation when various parameters are directly embedded in URL paths allows path traversal attacks. This vulnerability occurs when attackers create malicious resource names containing strings like ../, and when other users perform operations on those resources, path normalization causes unintended switching to different
projects or resources.
Specific problematic areas include, for example, the following API calls where group names are directly embedded in URL paths:
https://github.com/canonical/lxd-ui/blob/6a4a05268033774772612fda1f60dc9ae3967cd6/src/api/auth-groups.tsx#L38-L43
Additionally, as shown in the reproduction steps, similar issues occur in profile navigation
URL creation:
https://github.com/canonical/lxd-ui/blob/6a4a05268033774772612fda1f60dc9ae3967cd6/src/pages/profiles/ProfileLink.tsx#L12-L23
https://github.com/canonical/lxd-ui/blob/6a4a05268033774772612fda1f60dc9ae3967cd6/src/pages/instances/InstanceOverviewProfiles.tsx#L41-L49
During the penetration test period, we verified an attack that redirects to different profile edit screens by including backslash () in profile names. The reproduction steps are shown below.
Reproduction Steps
- Log in with permissions to create profiles in a specific project
- Open browser DevTools and execute the following JavaScript to create a profile containing path traversal:Note that this code sends an API request with a profile name containing path traversal strings to verify the vulnerability. In this PoC code, since forward slash (/) was prohibited, it uses backslash () and employs camouflage using spaces (using Japanese spaces since normal whitespace is stripped and would make the attack payload noticeable) to verify difficulty of detection in the UI.
(async () => {
const projectName = prompt("Enter target project name for
profile creation:");
const victimProjectName = prompt("Enter victim project
name:");
const victimProfileName = prompt("Enter victim profile
name:");
const japaneseSpaces = ' '.repeat(30);
const maliciousProfileName =
`changeme${japaneseSpaces}\\..\\..\\..\\${victimProjectName}\\
profile\\${victimProfileName}`;
const payload = {
name: maliciousProfileName,
description: "Test profile for path traversal"
};
const response = await
fetch(`/1.0/profiles?project=${projectName}`, {
method: 'POST',
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify(payload),
credentials: 'include'
});
})();
- When attempting to open the created profile, verify that the path is normalized and a different profile is opened
Also, confirm that the spaces make it more difficult to notice that the name is somewhat abnormal.
Risk
The attack conditions require that the attacker can set malicious resource names containing path traversal strings, and that another user (potentially with higher privileges) attempts to perform operations on that resource. However, given that many resources have name constraints, changing resource names like group names requires significant permissions, and victims must operate without noticing, the attack conditions are very difficult to meet.
Possible actions through the attack include, as shown in the reproduction steps, causing users to mistakenly modify profiles in different projects. For example, if the victim mistakenly adds the attacker's SSH key at this time, the attacker may be able to SSH into instances in different projects.
As mentioned above, in other cases verified during the penetration test period, effective attack vectors were not discovered due to resource name constraints, permission constraints, and inability to maintain normal frontend behavior.
Countermeasures
As a fundamental countermeasure, URL encoding should be performed when passing parameters as path parameters during API calls or when constructing navigation URLs. Similarly, for query parameters, values could be given = characters to specify different parameters. Therefore, we recommend using URL class searchParams instead of simple string concatenation.
Patches
| LXD Series |
Status |
| 6 |
Fixed in LXD 6.5 (LXD-UI 0.18) |
| 5.21 |
Fixed in LXD 5.21.4 (LXD-UI ??) |
| 5.0 |
Ignored - Not critical |
| 4.0 |
Ignored - No web UI |
References
Reported by GMO Flatt Security Inc.
Impact
In LXD-UI, insufficient input validation when various parameters are directly embedded in URL paths allows path traversal attacks. This vulnerability occurs when attackers create malicious resource names containing strings like ../, and when other users perform operations on those resources, path normalization causes unintended switching to different
projects or resources.
Specific problematic areas include, for example, the following API calls where group names are directly embedded in URL paths:
https://github.com/canonical/lxd-ui/blob/6a4a05268033774772612fda1f60dc9ae3967cd6/src/api/auth-groups.tsx#L38-L43
Additionally, as shown in the reproduction steps, similar issues occur in profile navigation
URL creation:
https://github.com/canonical/lxd-ui/blob/6a4a05268033774772612fda1f60dc9ae3967cd6/src/pages/profiles/ProfileLink.tsx#L12-L23
https://github.com/canonical/lxd-ui/blob/6a4a05268033774772612fda1f60dc9ae3967cd6/src/pages/instances/InstanceOverviewProfiles.tsx#L41-L49
During the penetration test period, we verified an attack that redirects to different profile edit screens by including backslash () in profile names. The reproduction steps are shown below.
Reproduction Steps
Also, confirm that the spaces make it more difficult to notice that the name is somewhat abnormal.
Risk
The attack conditions require that the attacker can set malicious resource names containing path traversal strings, and that another user (potentially with higher privileges) attempts to perform operations on that resource. However, given that many resources have name constraints, changing resource names like group names requires significant permissions, and victims must operate without noticing, the attack conditions are very difficult to meet.
Possible actions through the attack include, as shown in the reproduction steps, causing users to mistakenly modify profiles in different projects. For example, if the victim mistakenly adds the attacker's SSH key at this time, the attacker may be able to SSH into instances in different projects.
As mentioned above, in other cases verified during the penetration test period, effective attack vectors were not discovered due to resource name constraints, permission constraints, and inability to maintain normal frontend behavior.
Countermeasures
As a fundamental countermeasure, URL encoding should be performed when passing parameters as path parameters during API calls or when constructing navigation URLs. Similarly, for query parameters, values could be given = characters to specify different parameters. Therefore, we recommend using URL class searchParams instead of simple string concatenation.
Patches
References
Reported by GMO Flatt Security Inc.