Source: disclosure@vulncheck.com
CasaOS versions up to and including 0.4.15 expose multiple unauthenticated endpoints that allow remote attackers to retrieve sensitive configuration files and system debug information. The /v1/users/image endpoint can be abused with a user-controlled path parameter to access files under /var/lib/casaos/1/, which reveals installed applications and configuration details. Additionally, /v1/sys/debug discloses host operating system, kernel, hardware, and storage information. The endpoints also return distinct error messages, enabling file existence enumeration of arbitrary paths on the underlying host filesystem. This information disclosure can be used for reconnaissance and to facilitate targeted follow-up attacks against services deployed on the host.
CasaOS versions 0.4.15 and below are vulnerable to critical information disclosure, allowing attackers to remotely access sensitive configuration files and system debug information. This vulnerability enables attackers to gather crucial details about the host system, including installed applications, operating system details, and storage information, facilitating further attacks. Successful exploitation can lead to complete system compromise.
Step 1: Reconnaissance: The attacker identifies a vulnerable CasaOS instance (version <= 0.4.15) accessible from the network.
Step 2: Information Gathering via /v1/users/image: The attacker crafts a malicious request to the /v1/users/image endpoint, providing a path parameter that points to a sensitive configuration file (e.g., /var/lib/casaos/1/apps.db).
Step 3: File Retrieval: The CasaOS server, due to the lack of input validation, processes the request and retrieves the contents of the specified file.
Step 4: Information Gathering via /v1/sys/debug: The attacker sends a request to the /v1/sys/debug endpoint.
Step 5: System Information Disclosure: The CasaOS server returns detailed system information, including OS version, kernel version, hardware details, and storage configuration.
Step 6: File Existence Enumeration: The attacker uses the distinct error messages returned by both endpoints to determine the existence of specific files on the system, further refining their reconnaissance efforts.
Step 7: Subsequent Attacks: The attacker uses the gathered information to plan and execute follow-up attacks, such as credential harvesting, privilege escalation, or lateral movement, targeting other services or systems on the host or network.
The vulnerability stems from insufficient input validation and access control on multiple unauthenticated endpoints within CasaOS. Specifically, the /v1/users/image endpoint fails to properly sanitize the path parameter, allowing attackers to traverse the filesystem and retrieve arbitrary files under /var/lib/casaos/1/. This path traversal vulnerability, combined with the lack of authentication, enables attackers to read sensitive configuration files. The /v1/sys/debug endpoint further exacerbates the issue by exposing detailed system information, including the operating system, kernel version, hardware details, and storage configuration. The distinct error messages returned by these endpoints also allow for file existence enumeration, enabling attackers to identify specific files and directories on the host filesystem, further aiding in reconnaissance. The root cause is a lack of proper input validation and authorization checks, allowing attackers to bypass security controls and access sensitive information.
Likely to be exploited by a wide range of threat actors, including opportunistic attackers, ransomware groups, and potentially APTs seeking initial access. CISA KEV status: Likely to be added due to the ease of exploitation and potential for significant impact.
Network traffic analysis: Look for requests to /v1/users/image with unusual path parameters, especially those traversing the filesystem (e.g., using ../).
Network traffic analysis: Look for requests to /v1/sys/debug.
Log analysis: Examine CasaOS server logs for suspicious activity, such as unauthorized file access attempts or unusual error messages.
File integrity monitoring: Monitor critical configuration files for unauthorized modifications.
Endpoint Detection and Response (EDR): Implement EDR solutions to detect and respond to malicious activity, such as file access attempts and suspicious network connections.
Upgrade to CasaOS version 0.4.16 or later, which includes a fix for this vulnerability.
Implement input validation and sanitization on all user-supplied input, especially the path parameter in the /v1/users/image endpoint.
Implement proper access control and authentication mechanisms for all endpoints, ensuring that only authorized users can access sensitive information.
Restrict access to the CasaOS web interface to only trusted networks or users.
Regularly review and update security configurations and patches.
Implement a Web Application Firewall (WAF) to filter malicious requests.
Monitor system logs for suspicious activity and security events.