Beginner FriendlyFoundry
100 EXP
View results
Submission Details
Severity: high
Invalid

'testPwned` in unit test execute arbitrary code on caller machine, could leads to loss of sensitive info

Summary

The test suites provided by the VotingBooth team includes a function named testPwned, which creates a file on user machine. It's capable of executing arbitrary code on user machine.

Vulnerability Details

testPwned function in test suite uses foundry ffi command to execute arbitrary code on caller machine. Check the function below.

function testPwned() public {
string[] memory cmds = new string[](2);
cmds[0] = "touch";
cmds[1] = string.concat("youve-been-pwned-remember-to-turn-off-ffi!");
cheatCodes.ffi(cmds);
}

This function is not related to smart contract unit testing in any way.
User who will run forge test will run it in background, leading to executing code. Although this just create a file youve-been-pwned-remember-to-turn-off-ffi! to aware upcoming security researcher.
But ffi is powerful enough to do almost anything before user actually noticing. Anyone who is controlling the test suite can call anything. From taking api to passwords, or dropping a malicious file. Possibilities are endless. Read More

Impact

Arbitrary code execution on user machine

Tools Used

Manual review

Recommendations

  • Turn off the ffi before running test suite

  • Always check the reliability of the code, you're trying to execute. If you don't understand the code, Don't run it.

  • User a isolated system, if you still want to run the code without having a precheck.

Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Out of scope
Assigned finding tags:

testPwned: ffi enabled for test

abhishekthakur Submitter
over 1 year ago
0xnevi Lead Judge
over 1 year ago
abhishekthakur Submitter
over 1 year ago
0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Out of scope

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.