Skip to content

Command Injection Vulnerability in URL input

Moderate
4ra1n published GHSA-732j-763p-cvqg Nov 20, 2022

Package

super-xray (super-xray)

Affected versions

0.1-beta

Patched versions

0.2-beta

Description

Severity

  • 安全级别:Moderate
  • 攻击向量:本地
  • 攻击复杂度:低
  • 需要权限:高
  • 用户交互:需要
  • 范围:无更改
  • 机密性影响:高
  • 完整性影响:高
  • 可用性影响:高

Vendor

super-xray

Versions Affected

0.1-beta

Description

URL没有过滤直接拼接到命令中,导致存在可能的RCE漏洞

过程代码如下:

    public void initActiveScan() {
        logger.info("init active scan module");
        activeScanButton.addActionListener(e -> {
            try {
                refreshOutput();
                xrayCmd.setModule("webscan");
                xrayCmd.setConfig(String.format("--config %s", configPath));
                String finalCmd = xrayCmd.buildCmd();
                outputTextArea.setText(null);
                execAndFresh(finalCmd);
            } catch (Exception ex) {
                ex.printStackTrace();
            }
        });
    }

    private void execAndFresh(String finalCmd) {
        outputTextArea.setText(null);
        Thread thread = new Thread(() -> {
            try {
                InputStream inputStream = ExecUtil.execCmdGetStream(finalCmd);
                if (inputStream == null) {
                    return;
                }
                BufferedReader isReader = new BufferedReader(new InputStreamReader(inputStream));
                String thisLine;
                while ((thisLine = isReader.readLine()) != null) {
                    outputTextArea.append(thisLine);
                    outputTextArea.append("\n");
                    outputTextArea.setCaretPosition(outputTextArea.getText().length());
                }
            } catch (Exception ex) {
                ex.printStackTrace();
            }
        });
        thread.start();
        threadPool.add(thread);
    }

    public static InputStream execCmdGetStream(String cmd) {
        if (OSUtil.isWindows()) {
            String[] xrayCmd = new String[]{"cmd.exe", "/c", String.format("%s", cmd)};
            return execGetStream(xrayCmd);
        } else {
            String[] xrayCmd = new String[]{"/bin/bash", "-c", String.format("%s", cmd)};
            return execGetStream(xrayCmd);
        }
    }

Mitigation

users should upgrade to super-xray 0.2-beta

Credit

This issue has no credit

Severity

Moderate
6.5
/ 10

CVSS base metrics

Attack vector
Local
Attack complexity
Low
Privileges required
High
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

CVE ID

CVE-2022-41945

Weaknesses