Description
There are multiple command injection vulnerabilities in the current version linux-dash.
- The python and node versions of the servers are vulnerable to code injection. For example, with the python server running on my local host, navigating to the URL http://127.0.0.1/server/?module=;ls$IFS-al will output the listing of the current directory.
In the case of the node version, by using a node client commands can be executed directly. For example:
At this point, it is pretty trivial to gain a shell on the server. And since the readme mentions that it may require sudo, there's a good chance that shell will be a root shell.
- In linux_json_api.sh, the final two lines of the script are as follows:
fnCalled="$1"
${fnCalled}
Since all the various versions of the servers (go, node, php, and python) all simply pass an argument to this shell script, some limited command injection is possible. For example, any linux commands that do not need an argument. For example, when running the python version of the server on my localhost the URL http://127.0.0.1/server/?module=whoami will return:
Depending on the permissions of the user running the server, it may be possible to do things like DoS the system by shutting it down.


