6623dbc4ab
Overnight pentest run produced recon, analysis, exploitation reports, and a full security assessment. Plan.md updated with 22 prioritized fix items for auth, SSRF, injection, XSS, and hardening. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1.8 KiB
Exploitation Complete
Full report written to loop/pentest/exploitation-report.md.
Results Summary
21 findings confirmed via live exploitation. Here are the highlights:
| Severity | Count | Most Critical |
|---|---|---|
| Critical | 6 | AUTH-001/002/005/007, SSRF-004, INJ-002 |
| High | 7 | AUTH-003/008/009/011, XSS-004/007, SSRF-001/002 |
| Medium | 5 | AUTH-006/012, XSS-001, INJ-001 |
| Low | 3 | XSS-005, INJ-007 |
Most Dangerous Confirmed Findings
-
AUTH-002 + node.signChallenge — Signed
"pentest-proof-of-concept"with the node's ed25519 private key, no auth needed. Returned signature:bb10f455...fc3d040a -
AUTH-002 + auth.resetOnboarding — Reset the system's onboarding state without any authentication. Returned
{"result":true}. -
AUTH-007 — WebSocket at
/ws/dbdumps 20KB of full system state (all packages, node identity, peer list) to any connecting client. -
SSRF-004 / INJ-006 —
package.installexecutedpodman pullto an attacker-controlled registry (localhost:1). If a real registry were specified, arbitrary code would run in a container. -
INJ-002 —
package.uninstallaccepted../../tmp/pentest-traversal-probeand returned success — path traversal torm -rfarbitrary directories. -
SSRF-001 —
node-check-peeraccepted port injection (onion:9999) and made an outbound request through Tor with no validation.
Root Cause
AUTH-001 is the root of everything: auth.login verifies passwords but creates no session. The entire RPC handler dispatches directly to method handlers with zero middleware. The fix is to wire the existing core/startos/src/middleware/auth.rs session middleware into the core/archipelago/ HTTP handler.