Security disclosure: appcd vulnerability

Adam

Affected appcd versions: 1.6.0, 1.6.1, 1.6.2

This vulnerability related to the new Let's Encrypt implementation. Due to a race condition, a carefully crafted symlink, written at exactly the right moment, could cause the acme challenge file to be written outside of the user's home directory.

The vulnerability was patched in appcd 1.7.0.

This vulnerability was reported by an external security researcher and there are no reports of this having been actively exploited.

JohnB

Adam could cause the acme challenge file to be written outside of the user's home directory.

Correct me if I'm wrong but this wasn't really exploitable in terms of compromising the server/data right? Or did the vulnerability allow manipulating the permissions and content of the challenge file (ie to run a malicious script)?

necrom

JohnB I read it as potentially you could overwrite another users acme file with your own

Adam

An attacker couldn't change the content of the file but they could write it to an arbitrary location anywhere on the system.