New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Command Execution in ss-manager #1734

Closed
Pixelschleuder opened this Issue Oct 13, 2017 · 4 comments

Comments

Projects
None yet
3 participants
@Pixelschleuder

Pixelschleuder commented Oct 13, 2017

Overview

Severity Rating: High
Confirmed Affected Versions: 3.1.0
Confirmed Patched Versions: after commit c67d275
Vendor: Shadowsocks
Vendor URL: https://github.com/shadowsocks/shadowsocks-libev
Vector: Local
Credit: X41 D-Sec GmbH, Niklas Abel
Status: Public
CVE: CVE-2017-15924
Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2017-010-shadowsocks-libev/

Summary and Impact

Shadowsocks-libev offers local command execution per configuration file
or/and additionally, code execution per UDP request on 127.0.0.1.

The configuration file on the file system or the JSON configuration received
via UDP request is parsed and the arguments are passed to the "add_server"
function.
The function calls "construct_command_line(manager, server);" which returns
a string from the parsed configuration.
The string gets executed at line 486 "if (system(cmd) == -1) {", so if a
configuration parameter contains "||evil command&&" within the "method"
parameter, the evil command will get executed.

The ss-manager uses UDP port 8830 to get control commands on 127.0.0.1. By
default no authentication is required, although a password can be set with
the '-k' parameter.

Product Description

Shadowsocks-libev is a lightweight secured SOCKS5 proxy for embedded devices
and low-end boxes. The ss-manager is meant to control shadowsocks servers
for multiple users, it spawns new servers if needed.

It is a port of shadowsocks created by @clowwindy, and maintained by @madeye
and @linusyang.

Proof of Concept

As passed configuration requests are getting executed, the following command
will create file "evil" in /tmp/ on the server:

nc -u 127.0.0.1 8839
add: {"server_port":8003, "password":"test", "method":"||touch /tmp/evil||"}

The code is executed through shadowsocks-libev/src/manager.c.
If the configuration file on the file system is manipulated, the code would
get executed as soon as a shadowsocks instance is started from ss-manage, as
long as the malicious part of the configuration has not been overwritten.

Workarounds

There is no workaround available, do not use ss-manage until a patch is
released.

About X41 D-Sec GmbH

X41 D-Sec is a provider of application security services. We focus on
application code reviews, design review and security testing. X41 D-Sec GmbH
was founded in 2015 by Markus Vervier. We support customers in various
industries such as finance, software development and public institutions.

Timeline

2017-09-28 Issues found
2017-10-05 Vendor contacted
2017-10-09 Vendor contacted, replied to use GitHub for a full disclosure
2017-10-11 Vendor contacted, asked if the vendor is sure to want a full disclosure
2017-10-12 Vendor contacted, replied to create a public issue on GitHub
2017-10-13 Created public issues on GitHub
2017-10-13 Advisory release
2017-10-14 Vendor patched the vulnerability
2017-10-27 CVE ID assigned
2017-11-03 Advisory updated with CVE ID and patched version

@carnil

This comment has been minimized.

Show comment
Hide comment

@madeye madeye closed this in c67d275 Oct 13, 2017

@madeye madeye added the bug label Oct 13, 2017

@madeye

This comment has been minimized.

Show comment
Hide comment
@madeye

madeye Oct 13, 2017

Thank you for reporting this issue!

madeye commented Oct 13, 2017

Thank you for reporting this issue!

@madeye

This comment has been minimized.

Show comment
Hide comment
@madeye

madeye Oct 13, 2017

For anyone using ss-manager, please use unix domain socket path if possible.

Exposing ss-manager to public is always dangerous.

madeye commented Oct 13, 2017

For anyone using ss-manager, please use unix domain socket path if possible.

Exposing ss-manager to public is always dangerous.

@carnil

This comment has been minimized.

Show comment
Hide comment
@carnil

carnil Oct 27, 2017

CVE-2017-15924 has been assigned for this issue

carnil commented Oct 27, 2017

CVE-2017-15924 has been assigned for this issue

CZNIC-GitLab pushed a commit to CZ-NIC/turris-os-packages that referenced this issue Oct 31, 2017

CZNIC-GitLab pushed a commit to CZ-NIC/turris-os-packages that referenced this issue Nov 3, 2017

CZNIC-GitLab pushed a commit to CZ-NIC/turris-os-packages that referenced this issue Nov 3, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment