Trtnx's picture
add huntr PoC bundle
ca8cc77 verified
|
Raw
History Blame Contribute Delete
1.66 kB

DB-GPT v0.8.0 — Unauthenticated arbitrary file write (path traversal / absolute path) — huntr PoC

Private/gated proof-of-concept accompanying a huntr vulnerability report. Access is granted only to the huntr triage bot.

Target: eosphoros-ai/DB-GPT @ v0.8.0 (commit a3f21350, latest release).

An unauthenticated POST /api/v1/python/file/upload passes the raw multipart filename straight into os.path.join(upload_dir, file.filename) with no sanitization, then open(file_path,"wb").write(content). An absolute-path filename (/tmp/evil) or ../ traversal escapes the intended <work_dir>/python_uploads/<user_id>/ confinement and writes attacker-controlled bytes to an attacker-chosen path — anywhere the DB-GPT service user can write.

Contents

  • README.md — this file.
  • REPORT.md / POC.md — the vulnerability report and walkthrough (added separately).
  • poc/fire_005.py — self-contained deterministic PoC. Run network-isolated:
    unshare --user --map-root-user --net python3 poc/fire_005.py
    
  • poc/vendor/python_upload_api.py — the real v0.8.0 source file the PoC AST-extracts and executes (the python_file_upload handler with the untouched os.path.join sink), byte-identical to the released PyPI wheel dbgpt-app==0.8.0 — sha256 in poc/PROVENANCE.txt (7eb363ff…, verified at runtime).
  • poc/sandbox_005.log — a recorded run: Oracle A (absolute-path escape) + Oracle B (.. traversal) + NEG-CONTROL (benign filename stays confined) all PASS.

Harmless marker only (short text files, cleaned up); no network egress; the target repository is never built or installed.