Hello,
i have found a bug that can lead to a privilege escalation.
Most of the input which the user can control is escaped using escapeshellarg but using the cputime parameter which is not escaped you can create a command injection which leads to a privilege escalation. Here you can see that cputime is not escaped and is directly set into the sandox command which is executed by the user www-data.
Once you have access to the webroot you can patch runguard to accept root as a valid user and execute commands as root.
I have also a proof-of-concept script but I won't upload it here for security reasons.
If there are any further questions, I'll be happy to help.
Sincerely,
Marlon
The text was updated successfully, but these errors were encountered:
Many thanks for finding and reporting the vulnerability. Thanks for the fix, too, though I've chosen to run with a slight variant on your code. I've modified getParam so that if a supplied parameter is non-numeric and the default parameter is numeric, the default is used. Change pushed to github. Please confirm that my change addresses that issue (and any similar ones).
Hello,
i have found a bug that can lead to a privilege escalation.
Most of the input which the user can control is escaped using escapeshellarg but using the cputime parameter which is not escaped you can create a command injection which leads to a privilege escalation.
Here you can see that cputime is not escaped and is directly set into the sandox command which is executed by the user www-data.
Once you have access to the webroot you can patch runguard to accept root as a valid user and execute commands as root.
I have also a proof-of-concept script but I won't upload it here for security reasons.
If there are any further questions, I'll be happy to help.
Sincerely,
Marlon
The text was updated successfully, but these errors were encountered: