Summary

The test suites provided by the VotingBooth team includes a function named testPwned, which creates a file on user machine. It's capable of executing arbitrary code on user machine.

Vulnerability Details

testPwned function in test suite uses foundry ffi command to execute arbitrary code on caller machine. Check the function below.

This function is not related to smart contract unit testing in any way.
User who will run forge test will run it in background, leading to executing code. Although this just create a file youve-been-pwned-remember-to-turn-off-ffi! to aware upcoming security researcher.
But ffi is powerful enough to do almost anything before user actually noticing. Anyone who is controlling the test suite can call anything. From taking api to passwords, or dropping a malicious file. Possibilities are endless. Read More

Impact

Arbitrary code execution on user machine

Tools Used

Manual review

Recommendations

• Turn off the ffi before running test suite

• Always check the reliability of the code, you're trying to execute. If you don't understand the code, Don't run it.

• User a isolated system, if you still want to run the code without having a precheck.