Open Policy Agent (OPA) v0.60.0 - Local File Inclusion Vulnerability

Severity: High

Vulnerability Type: Local File Inclusion (LFI)

Affected System: Open Policy Agent (OPA) v0.60.0

Overview: Open Policy Agent (OPA) is an open-source, general-purpose policy engine that enables fine-grained, context-aware policy enforcement across the entire stack. A critical security vulnerability has been identified in OPA version 0.60.0, allowing an attacker to perform Local File Inclusion (LFI) attacks through the opa parse command, leading to unauthorized access to sensitive files on the host system.

Description: The vulnerability exists in the implementation of the opa parse command, specifically in the handling of file paths passed as arguments. An attacker can exploit this flaw to read arbitrary files on the host system by manipulating the file path parameter. This could lead to the exposure of sensitive information, including configuration files, cryptographic keys, and other privileged data.

Vulnerability Details: The issue arises from insufficient validation of user-supplied input when specifying file paths in the opa parse command. By providing a crafted file path, an attacker can trick the application into reading and disclosing the contents of files that should be restricted.

Steps to Reproduce:

  1. Download and install OPA version 0.60.0.

  2. Execute the following command with a malicious file path:

    bashCopy code

    ./opa parse /etc/passwd:$(echo '1337' > /tmp/test2) -- format json

  3. Observe the application parsing the malicious file path and displaying the contents of the specified file.

Reference:

  1. Proof of Concept Video

  2. Demonstration of Exploited Vulnerability

Reference

  1. https://drive.google.com/file/d/1PqsuJwgGofC_mZfaNdER7JfIogf87a_j/view?usp=sharing

  2. https://drive.google.com/file/d/1c27ve_G-HQmi1LNBqu4Lu2EnYyCgFleD/view?usp=sharing