`SantasListTest: testPwned` executes arbitrary operation on caller machine, can take control over the machine to drain funds or leak info
Summary
In test suite, a function execute an operation, which is not related to smart contract testing. create a file without user noticing.
Vulnerability Details
In SantasListTest.t.sol, unit test are written to test if code is working as intended or not. These are provided as is by the Santa Team. But it comes with a function testPwned which is not related to unit testing. It execute the code to do arbitrary things, without user even noticing. Here is the function
in foundry.toml you'll notice ffi = true which enables running arbitrary code via tests.
when user run forge test, it run all test that are given in test suite along with the malicious code without even noticed by the user.
it create a file named youve-been-pwned .
But this seems to be fine, as creating a file, don't do anything right?
The simple answer is NO. It's a sophisticated phishing technique to get entry to developer machine to access his data. Whoever has control over test suite can trick you to run any command on your pc.
Impact
Can drain caller funds or leak info
Tools Used
Manual Review
Recommendations
Don't trust and run code blindly.
Use an isolated system to run code to avoid any loss.
ffi should be disabled
Lead Judging Commences
test_pwned FFI vulnerability
The FFI variable within Foundry.TOML was set to TRUE. This variable gives foundry shell access and allows it to run commands on your terminal. The possibility of exploitation through this means are endless! This repo exploited this flag through test_pwned Keep an eye out before running tests!
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.