First Flight #6: Voting Booth

Summary

The test suite contains a function testPwned, which can execute arbitrary and unrestricted commands on the user's system. This poses a critical security threat since these commands could potentially access sensitive information, create a reverse shell for remote access, look for passwords, or introduce malware onto the system.

Vulnerability Details

This particular test appears harmless at first glance, merely creating a file named youve-been-pwned-remember-to-turn-off-ffi! However, there's no valid purpose for this test other than to exhibit malicious behavior.

The ffi function in the foundry.toml file is a cheatcode provided by the Foundry framework for Ethereum application development. This function allows us to execute terminal commands from Solidity code on our local system. It's designed to run within the context of the root directory of the project, not within the context of the test directory. Thats why there is no reason for ffi = true in the foundry.toml file of this project.

1. Example 1: A scenario where the user's API key could be compromised:.

First export the API key in your shell

Then execute the test to store the API key in a file:

Alternatively, transmit it to an external server:

Now, if FFI=true is set in the foundry.toml file, this function poses a significant security risk. It can expose sensitive information, like the ARBITRUMSCAN_API_KEY, by writing it to a file that could potentially be accessed by unauthorized individuals. Depending on what the ARBITRUMSCAN_API_KEY is used for, this could lead to a variety of security breaches, including unauthorized access to services, data leaks, and more. The severity of this risk would be high, as it could potentially lead to serious data breaches and unauthorized access to critical services

2. Example 2 - Erasing all data on filesystem using rm -rf /:

Warning: This command is extremely harmful and should never be executed.

Important Disclaimer: Therm -rf / command has the capability to erase all content within the filesystem where the user holds write permissions. Its inclusion here is solely for educational purposes, serving to highlight the gravity of security flaws in scripts. Under no circumstances should this command be executed on any system.

Impact

The provided test function testPwned() is a simple function that uses the ffi function to create a file named "youve-been-pwned-remember-to-turn-off-ffi!" in the current directory. At first glance this function does not interact with any contract state or perform any other actions that could affect the contract's behavior.

However, after a look at the foundry.toml file, we can see that the FFI status is set to true, which in itself is a security risk. The ffi function allows us to execute arbitrary terminal commands from our Solidity code, which could potentially be exploited to perform malicious actions.

It has the potential to result in data breaches, encompassing exposure of private keys and passwords, unauthorized remote code execution, and the possible destruction of digital information(, such as using 'rm -rf /').

Tools Used

Manual Review, AI, Checking Past Similar reports, etc

Recommendations

• Remove the malicious test section from the test suite.

• Go to foundry.toml and change ffi status from true to false:

• It's crucial to proceed with caution, before executing any third-party programs on your system,. Take the time to understand the functionalities of commands or scripts to avert unintended consequences, particularly those that may pose security vulnerabilities.