The test suite includes a function named testPwned()
, which executes arbitrary commands on the user's machine. This presents a significant security risk, as such commands could potentially extract sensitive data, establish a reverse shell for remote control, search for passwords, or install malware.
This is the malicious test which looks inoffensive as it just creates a file called youve-been-pwned-remember-to-turn-off-ffi!
but there is no underlying reason for this test to be here except a malicious behavior.
A more alarming scenario is demonstrated in the following proof of concept, where the user's API key could be compromised:
First, export the api key in your shell -
Then execute the test to store the API key in a file:
Alternatively, transmit it to an external server:
This POC demonstrates how a test could open a reverse shell, allowing an attacker to gain control over the user's machine.
This POC shows how a test could find specific files (starting with "pass" ) and send the results to a remote server.
This POC demonstrates a highly destructive command that could potentially erase all data on the user's root filesystem.
This issue is categorized as HIGH due to the direct risk it poses to funds and sensitive information.
The test, as it stands, is harmful. It could lead to data breaches (including private keys and passwords), unauthorized remote code execution, and the potential destruction of digital information (e.g., rm -rf /).
Manual inspection, foundry.
Remember to set ffi = false
inside foundry.toml as shown below, before running blanket commands like forge test
and similar.
Now, when you run forge test
, you will see a failing test with the error message:
In general, always exercise caution before running third-party programs on your system. Ensure you understand the functionality of any command or script to prevent unintended consequences, especially those involving security vulnerabilities.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.