According to the SecureDrop Workstation audit, which was performed by Trail of Bits and funded by the New York Times, the high-risk directory traversal bug could be used for code execution attacks. According to the audit report [PDF], “the high severity finding details a case where a malicious SecureDrop server could build files in arbitrary paths in the sd-app VM, potentially allowing for code execution.”
“When the SecureDrop Workstation client downloads a file, it stores it in a location derived from the filename returned by the server. However, since this location is not sanitized properly in all cases, an attacker who controls responses from the server can make the client save files in arbitrary paths on the filesystem. An attacker can use this vulnerability to plant files that potentially enable further vulnerabilities.” The code auditors at Trail of Bits discovered two instances where a malicious SecureDrop server could plant files. Overall, the SecureDrop workstation received a clean bill of health from the security assessment. “During our engagement, we were unable to achieve a direct compromise of the Workstation from the location of an Internet-based attacker,” Trail of Bits said, but added that this doesn’t rule out the possibility of such a compromise or that SecureDrop Workstation is bug-free. The Freedom of the Press Foundation is currently in charge of SecureDrop Workstation. The platform, which is based on Qubes OS, allows news agencies, journalists, sources, and whistleblowers to communicate in a safe and encrypted manner. It is currently being studied in a small scale. According to the Foundation, the audit report reinforced some of its conclusions about the use of virtualization to segment sensitive workloads, and it was satisfied with the finding that the system “represents a complex but well studied product that has been thoughtfully designed.” According to the Foundation, none of the issues found can be directly exploited by an attacker and involve either a compromise of the SecureDrop server or code execution in some main VMs within the SecureDrop Workstation. Trail of Bits discovered and reported 1 high-risk, 6 medium-risk, 7 low-risk, and 12 informational disclosure issues over the course of their engagement (6 person-weeks with two pen-test/code audit engineers). The audit found that the high-severity and six medium-severity problems had already been fixed and posted, with the corrections having been checked by the auditing team. The Foundation also reported that it is looking into possible architectural changes, such as the development of a custom RPC service to handle file opening. “In addition to responding to the issues raised in this study, we’re incorporating input from current pilot participants and developing new features related to export and integration with other communication tools. We’re working on extending the pilot to a few more news organisations, and we plan to make it available to everyone later this year,” the Foundation said.