Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.19.0, an unauthenticated attacker can pollute the internal state (`restoreFilePath`) of the server via the `/skServer/validateBackup` endpoint. This allows the attacker to hijack the administrator's "Restore" functionality to overwrite critical server configuration files (e.g., `security.json`, `package.json`), leading to account takeover and Remote Code Execution (RCE). Version 2.19.0 patches this vulnerability.
Unauthenticated attackers can exploit a critical vulnerability in Signal K Server versions prior to 2.19.0, allowing them to hijack the server's restore functionality. This leads to account takeover and remote code execution (RCE) by overwriting critical configuration files.
Step 1: Payload Delivery: The attacker crafts a malicious HTTP request to the /skServer/validateBackup endpoint. This request includes a crafted restoreFilePath parameter.
Step 2: File Path Manipulation: The attacker sets the restoreFilePath to point to a critical server configuration file, such as security.json or package.json.
Step 3: Malicious Content Injection: The attacker prepares malicious content to overwrite the targeted configuration file. For security.json, this might include a new administrator account. For package.json, this might include a malicious script to be executed.
Step 4: Administrator Trigger: The attacker waits for an administrator to initiate a backup restore operation.
Step 5: File Overwrite: The server, using the attacker-controlled restoreFilePath, overwrites the targeted configuration file with the attacker's malicious content.
Step 6: Account Takeover/RCE: Depending on the targeted file and injected content, the attacker gains administrator access or achieves remote code execution.
The vulnerability stems from insufficient input validation on the /skServer/validateBackup endpoint. Specifically, the server fails to properly sanitize the restoreFilePath parameter, which dictates where the server will restore configuration files from a backup. An attacker can craft a malicious request to this endpoint, providing a crafted restoreFilePath that points to critical server configuration files (e.g., security.json, package.json). When the administrator later initiates a restore, the server blindly uses the attacker-controlled restoreFilePath, overwriting these files with attacker-controlled content. This leads to account takeover (by modifying security.json to include a backdoor administrator account) and RCE (by injecting malicious code into package.json and triggering its execution). The root cause is a lack of proper input validation and sanitization of the restoreFilePath parameter, combined with a flawed design that allows arbitrary file overwrites during the restore process.