Privileged Java agent injection allows arbitrary host file overwrite via untrusted TMPDIR · Advisory · open-telemetry/opentelemetry-ebpf-instrumentation · GitHub

Vulnerability Overview Title: Privileged Java agent injection allows arbitrary host file overwrite via untrusted TMPDIR CVE ID: CVE-2024-41433 CVSS Score: 8.4 / 10 (High) Source: GitHub Advisory Database (GHSA-g9mg-3w2q-65f4) Description: A security vulnerability exists in the Java Agent injection path of the project. When Java injection is enabled and OBI runs with elevated privileges, an attacker can control the environment variable of the target process and exploit unsafe file creation semantics to overwrite arbitrary host files. This vulnerability enables filesystem boundary escape and symbolic link-based file tampering. Technical Details: The vulnerability results from two combined issues: 1. Untrusted TMPDIR: The injector reads the environment variable from the target process and constructs a path using . If is an absolute path (e.g., or ), discards , causing path resolution outside the intended target process directory. 2. Unsafe File Creation Semantics: When writing the JAR to the target directory, it uses . Due to the lack of exclusive creation or symlink protection, an attacker can pre-create a symbolic link, causing the injector to truncate and overwrite the file pointed to by the symlink. Impact Scope Affected Versions: >= v0.4.0, < v0.8.0 Affected Users: Deployments with Java injection enabled. OBI running with elevated privileges. Untrusted local workloads capable of running Java processes on the same host. Potential Consequences: Host integrity compromise. Service disruption or denial of service. Possible local privilege escalation. Remediation Upgrade Version: Upgrade to or later. Reference Link: https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/releases/tag/v0.8.0 POC Code & Exploitation Details Relevant Code Snippets: Reproduction Steps (Path Escape): 1. Start a Java process with a controlled environment variable, e.g.: or 2. Ensure the process is discovered and selected by OBI for Java injection. 3. Wait for the injector to prepare the JAR. 4. Observe the injector attempting to write under (an attacker-controlled host path). Reproduction Steps (Symbolic Link Tampering): 1. Start a Java process with or another writable temporary directory. 2. Before injection occurs, create a symbolic link at the expected destination: 3. Trigger Java agent injection. 4. Observe the privileged injector opening the symlink target and overwriting the linked file’s content using truncation semantics.

Goal Reached Thanks to every supporter — we hit 100%!

Privileged Java agent injection allows arbitrary host file overwrite via untrusted TMPDIR · Advisory · open-telemetry/opentelemetry-ebpf-instrumentation · GitHub

More from this source