CasaOS versions up to and including 0.4.15 expose multiple unauthenticated endpoints that allow remote attackers to retrieve sensitive configuration files and system debug information. The /v1/users/image endpoint can be abused with a user-controlled path parameter to access files under /var/lib/casaos/1/, which reveals installed applications and configuration details. Additionally, /v1/sys/debug discloses host operating system, kernel, hardware, and storage information. The endpoints also return distinct error messages, enabling file existence enumeration of arbitrary paths on the underlying host filesystem. This information disclosure can be used for reconnaissance and to facilitate targeted follow-up attacks against services deployed on the host.
CasaOS versions 0.4.15 and below are vulnerable to critical information disclosure, allowing attackers to remotely access sensitive configuration files and system debug information without authentication. This vulnerability enables attackers to gather crucial reconnaissance data, including installed applications, host operating system details, and file existence enumeration, facilitating further exploitation and compromise of the host system.
Step 1: Reconnaissance: The attacker identifies a CasaOS instance running a vulnerable version (<= 0.4.15).
Step 2: Endpoint Targeting: The attacker targets the /v1/users/image endpoint with a crafted path parameter, attempting to read sensitive files like configuration files (e.g., application configuration, database credentials) under /var/lib/casaos/1/.
Step 3: Information Gathering (File Enumeration): The attacker uses the distinct error messages returned by the vulnerable endpoints to enumerate the existence of files and directories on the underlying host filesystem, allowing them to identify potential targets.
Step 4: System Information Disclosure: The attacker leverages the /v1/sys/debug endpoint to retrieve host operating system, kernel, hardware, and storage information.
Step 5: Data Exfiltration: The attacker successfully retrieves sensitive configuration files and system information, providing valuable intelligence for further attacks.
Step 6: Follow-on Exploitation: The attacker uses the gathered information to craft targeted attacks against other services running on the host, such as exploiting known vulnerabilities in installed applications or attempting to gain privileged access.
The vulnerability stems from insufficient input validation and access control on multiple unauthenticated API endpoints within CasaOS. Specifically, the /v1/users/image endpoint fails to properly sanitize the user-controlled path parameter, allowing attackers to traverse the filesystem and retrieve arbitrary files under /var/lib/casaos/1/. The /v1/sys/debug endpoint also lacks proper authentication and authorization, directly exposing sensitive system information. The error messages returned by these endpoints further exacerbate the issue by enabling file existence enumeration, allowing attackers to probe for specific files and directories on the host filesystem. The root cause is a lack of proper input validation and access control mechanisms, leading to path traversal and information disclosure vulnerabilities. The use of user-supplied input without proper sanitization is a classic example of a security flaw.