CVE-2024-25711: Diffoscope Directory Traversal Vulnerability via Embedded Filenames in GPG Files

Summary: In this article, we delve into a recently discovered vulnerability in diffoscope (prior to version 256), allowing directory traversal using embedded filenames in GPG files. We explore how the vulnerability takes advantage of the gpg --use-embedded-filenames option, demonstrate a sample exploit, and describe how to protect yourself from this vulnerability.

Introduction

Diffoscope is a popular tool used for comparing files, directories, and archives. It provides detailed, human-readable differences between two files to aid in debugging and analysis. Recently, a vulnerability was disclosed in versions of diffoscope before 256 that allows directory traversal using embedded filenames found within GPG files. Attackers can exploit this vulnerability to potentially access sensitive information such as ssh private keys. In this post, we explore this vulnerability (CVE-2024-25711) in detail, look at a sample exploit, and discuss preventative measures.

Vulnerability details

The vulnerability (CVE-2024-25711) is present in diffoscope prior to version 256. Attackers can perform directory traversal by embedding malicious filenames in a GPG file. The diffoscope tool would subsequently process the GPG file, reveal the content of other files outside the intended directory, and disclose sensitive information without the victim's knowledge. This occurs because the value of the gpg --use-embedded-filenames option is trusted by diffoscope.

Original references

For more information, you can refer to the following links to understand the issue and related disclosures better:

- Official CVE page: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25711
- Debian bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005291

Sample exploit code snippet

An attacker can create a malicious GPG file with an embedded filename pointing to a sensitive file. For example, an attacker can take advantage of the gpg --use-embedded-filenames option to create a GPG file containing the content of the ../.ssh/id_rsa file.

$ echo 'Hello, world!' > file.txt
$ ln -s '../.ssh/id_rsa' malicious_filename
$ gpg --use-embedded-filenames --output malicious.gpg --batch --yes --recipient '<recipient-key-id>' --encrypt-files file.txt malicious_filename
$ rm malicious_filename

When the victim compares the malicious GPG file with another GPG file using diffoscope, the content of the ../.ssh/id_rsa file will be disclosed to the attacker.

$ diffoscope file1.gpg malicious.gpg > output.html

Mitigation

To prevent this vulnerability from being exploited, it's imperative to update diffoscope to version 256 or later. You can download and install the latest version of diffoscope from the official website or your distribution's package manager:

- Official website: https://diffoscope.org/

Conclusion

This vulnerability (CVE-2024-25711) demonstrates the importance of keeping software up to date with security patches and understanding the potential risks when working with encryption and file comparison tools. By updating to the latest version of diffoscope and being vigilant about the sources of GPG files, you can safeguard your sensitive information and avoid falling victim to this vulnerability.

Timeline

Published on: 02/27/2024 02:15:06 UTC
Last modified on: 02/27/2024 14:20:06 UTC