Skip to content

Command injection vulnerabilities #447

Closed
@fdcarl

Description

@fdcarl

There are multiple command injection vulnerabilities in the current version linux-dash.

  1. The python and node versions of the servers are vulnerable to code injection. For example, with the python server running on my local host, navigating to the URL http://127.0.0.1/server/?module=;ls$IFS-al will output the listing of the current directory.

image

In the case of the node version, by using a node client commands can be executed directly. For example:

image

At this point, it is pretty trivial to gain a shell on the server. And since the readme mentions that it may require sudo, there's a good chance that shell will be a root shell.

  1. In linux_json_api.sh, the final two lines of the script are as follows:
fnCalled="$1"

${fnCalled}

Since all the various versions of the servers (go, node, php, and python) all simply pass an argument to this shell script, some limited command injection is possible. For example, any linux commands that do not need an argument. For example, when running the python version of the server on my localhost the URL http://127.0.0.1/server/?module=whoami will return:

image

Depending on the permissions of the user running the server, it may be possible to do things like DoS the system by shutting it down.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions