lfg2025/archy
1
0
Fork 0
Code Issues 9 Pull Requests Actions Packages Projects Releases 44 Wiki Activity
archy/loop/pentest/exploitation/evidence.md
Dorian 6623dbc4ab chore: add security pentest reports and remediation plan 
Overnight pentest run produced recon, analysis, exploitation reports,
and a full security assessment. Plan.md updated with 22 prioritized
fix items for auth, SSRF, injection, XSS, and hardening.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-06 03:08:14 +00:00

32 lines
1.8 KiB
Markdown
Raw Blame History

## Exploitation Complete
Full report written to `loop/pentest/exploitation-report.md`.
### Results Summary
**21 findings confirmed via live exploitation.** Here are the highlights:
| Severity | Count | Most Critical |
|----------|-------|---------------|
| **Critical** | 6 | AUTH-001/002/005/007, SSRF-004, INJ-002 |
| **High** | 7 | AUTH-003/008/009/011, XSS-004/007, SSRF-001/002 |
| **Medium** | 5 | AUTH-006/012, XSS-001, INJ-001 |
| **Low** | 3 | XSS-005, INJ-007 |
### Most Dangerous Confirmed Findings
1. **AUTH-002 + node.signChallenge** — Signed `"pentest-proof-of-concept"` with the node's ed25519 private key, no auth needed. Returned signature: `bb10f455...fc3d040a`
2. **AUTH-002 + auth.resetOnboarding** — Reset the system's onboarding state without any authentication. Returned `{"result":true}`.
3. **AUTH-007** — WebSocket at `/ws/db` dumps 20KB of full system state (all packages, node identity, peer list) to any connecting client.
4. **SSRF-004 / INJ-006**`package.install` executed `podman pull` to an attacker-controlled registry (`localhost:1`). If a real registry were specified, arbitrary code would run in a container.
5. **INJ-002**`package.uninstall` accepted `../../tmp/pentest-traversal-probe` and returned success — path traversal to `rm -rf` arbitrary directories.
6. **SSRF-001**`node-check-peer` accepted port injection (`onion:9999`) and made an outbound request through Tor with no validation.
### Root Cause
**AUTH-001** is the root of everything: `auth.login` verifies passwords but creates no session. The entire RPC handler dispatches directly to method handlers with zero middleware. The fix is to wire the existing `core/startos/src/middleware/auth.rs` session middleware into the `core/archipelago/` HTTP handler.
Reference in New Issue View Git Blame Copy Permalink