CVE-2024-41163
A directory traversal vulnerability exists in the archive download functionality of Veertu Anka Build 1.42.0. A specially crafted HTTP request can lead to a disclosure of arbitrary files. An attacker can make an unauthenticated HTTP request to exploit this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Veertu Anka Build 1.42.0
Anka Build - https://veertu.com/anka-build/
7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
Anka Build is a suite of software tools designed for macOS virtualization, specifically for testing macOS or iOS applications in CI/CD environments. The suite comprises three main components: Controller, Registry, and Nodes. Anka Build Controller is centralized dashboard for managing nodes, VM instances, templates, tags, and logs. Anka Build Registry serves as the central repository for macOS VM templates and tags, facilitating easy access and version control. Anka Build Nodes are macOS hosts that run on-demand VM instances.
The default installation of the Controller LaunchDaemon runs on the port 80 and the Registry LaunchDaemon runs on the port 8089.
A directory traversal vulnerability exists in the Anka Build Controller and Registry LaunchDaemons. This vulnerability is triggered when an HTTP GET request is sent to the controller URI /api/v1/registry/log/archive or to the Registry URI /log/archive. Both requests ultimately invoke the veertu.com/veertu/registry/log_server.(*LogServer).handleGetArchive method within the anka-registry binary. The decompiled code for the veertu.com/veertu/registry/log_server.(*LogServer).handleGetArchive method is as follows:
v53 = (__int64 (__golang **)(void *))a2.tab;
v5 = net_url__ptr_URL_Query(a3->URL);
v58.ptr = (char *)&service;
v58.len = 7LL;
service_value = net_url_Values_Get(v5, v58); // <------- (1)
if ( service_value.len )
if ( service_value.len )
{
v48 = v53[3](v55);
concat_str = runtime_concatstring3(
0LL,
&aBinaryLittleen[0x1DA0],
21LL,
service_value.ptr,
service_value.len,
&tar_gz_str,
7LL);
v40 = v8;
concat_str_1 = concat_str;
[...]
}
LABEL_15:
v20 = (*((__int64 (__golang **)(void *, char *, size_t, __int64, void *))v51->server.tab + 3))( //<----(2)
v51->server.data,
service_value.ptr,
service_value.len,
v17,
v55);
if ( v20 )
At (1), the service parameter value is extracted from the URL. At (2), the veertu.com/veertu/registry/backend/disklogserver.(*Backend).Compress method is invoked. The first parameter of this method is the full path to the Centrol-logs directory. For the macOS installer, the default location of the Centrol-logs directory is /Library/Application Support/Veertu/Anka/registry/files/centrol-logs. The second parameter is the value of the service parameter. The Compress method appends the service parameter value to the Centrol-logs directory path without validating for directory traversal characters such as dot-dot-slash (../). Subsequently, the newly appended path is compressed, and the resulting compressed file is sent in the response.
Here, the service HTTP Parameter is vulnerable to path traversal. By utilizing dot-dot-slash (../) sequences or their variations, it may be possible to download arbitrary directories form the system where the Registry LaunchDaemon is installed.
Fixed in 1.43.0 of the Anka Build Cloud.
2024-08-12 - Vendor Disclosure
2024-08-12 - Initial Vendor Contact
2024-09-30 - Vendor Patch Release
2024-10-03 - Public Release
Discovered by KPC of Cisco Talos.