Magic Wormhole: receive, with --output pointing at an existing directory can be path-traversed

Vulnerability

Overview

Magic Wormhole is a tool for securely transferring files and directories between computers using short, human-pronounceable codes [1]. A vulnerability exists in the wormhole receive command when the --output flag specifies a directory that already exists. Instead of failing or creating a new subdirectory, the tool writes received files directly into that existing directory, potentially allowing path traversal if the sender includes filenames with directory components [2].

Attack

Vector and Exploitation

The attack requires the receiver to use the --output option where ` is an existing directory. The sender can then craft a filename containing path traversal sequences (e.g., ../malicious.txt`) or simply place files in the root of the existing directory. No authentication is needed beyond the wormhole code exchange, and the receiver's interaction is limited to initiating the transfer. The attack complexity is low, as it only requires the sender to control the filename [2].

Impact

An attacker who controls the sender side can write files to arbitrary locations within the receiver's filesystem's file system, relative to the specified output directory. This can lead to overwriting existing files or creating new ones, potentially compromising the integrity of the receiver's system. The confidentiality impact is low, as the attacker cannot read files, but the integrity impact can be high if critical files are overwritten [2].

Mitigation

The vulnerability is patched in version 0.24.0 [2]. Users are advised to update to the latest version. As a workaround, ensure that the target directory specified by --output does not already exist before running the receive command [2].