New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remote command execution #1

Closed
Pixelschleuder opened this Issue Dec 18, 2017 · 2 comments

Comments

Projects
None yet
2 participants
@Pixelschleuder

Pixelschleuder commented Dec 18, 2017

X41 D-Sec GmbH Security Advisory: X41-2017-007

Remote command execution in Shadowsocks ConnecTion

Overview

Severity Rating: High
Confirmed Affected Versions: 0.4, 0.5
Confirmed Patched Versions: after commit f674f7d
Vendor: Wanjunzh
Vendor URL: https://github.com/wanjunzh/ssct
Vector: Network
Credit: X41 D-Sec GmbH, Niklas Abel
Status: Public
CVE: Not assgined yet
CWE: 78
CVSS Score: 7.8
CVSS Vector: CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L
Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2017-007-shadowsocks_connection/

Summary and Impact

The Shadowsocks wrapper "ShadowSocks ConnecTion" crawls a web page for
Shadowsocks server credentials. This page is retrieved via unencrypted HTTP
from URI "http://ss.ishadowx.com" as default. It starts Shadowsocks with the
parsed credentials at line 98-101 in version 0.4, line 82-85 in version 0.5 using check_call(sss, shell=True).

If an attacker is able to modify the parsed web page due to a man in the
middle attack, a vulnerability on the web page or through a malicious web
page itself, the parameters could be modified to execute a command on the
machine running ShadowSocks ConnecTion. E.g. ";#" could be
attached to or used as an parameter to execute code on target machines.

Product Description

ShadowSocks ConnecTion is a wrapper tool for Shadowsocks to consistently
bypass firewalls. It parses a given website for Shadowsocks server
credentials and uses the credentials to connect to a Shadowsocks server.

Workarounds

Use a ShadowSocks ConnecTion version with the patch from commit "f674f7d".

About X41 D-Sec GmbH

X41 D-Sec is a provider of application security services. We focus on
application code reviews, design review and security testing. X41 D-Sec GmbH
was founded in 2015 by Markus Vervier. We support customers in various
industries such as finance, software development and public institutions.

Timeline

2017-09-29 Issue found
2017-10-05 Vendor contacted
2017-10-06 Vendor contacted, replied with PGP key
2017-10-11 Advisory was sent to Vendor
2017-11-07 0.5 still unpatched, sent a deadline of one month to the vendor
2017-12-07 Deadline for public release has been reached
2017-12-15 CVE ID requested
2017-12-18 Created public issue on GitHub
2017-12-18 Advisory release
2017-12-21 Issues fixed with commit f674f7d
2018-01-05 Advisory updated, patch confirmed

@wanjunzh

This comment has been minimized.

Show comment
Hide comment
@wanjunzh

wanjunzh Dec 24, 2017

Owner

@Pixelschleuder
Thank you for your issue about ssct. The latest version of ssct try to fix the security vulnerability.

  • avoid the untrusted input as arguments to shell commands
  • replace the unencrypted HTTP with encrypted HTTPS (ishadowx)
Owner

wanjunzh commented Dec 24, 2017

@Pixelschleuder
Thank you for your issue about ssct. The latest version of ssct try to fix the security vulnerability.

  • avoid the untrusted input as arguments to shell commands
  • replace the unencrypted HTTP with encrypted HTTPS (ishadowx)

@wanjunzh wanjunzh closed this Jan 2, 2018

@wanjunzh wanjunzh reopened this Jan 2, 2018

@Pixelschleuder

This comment has been minimized.

Show comment
Hide comment
@Pixelschleuder

Pixelschleuder Jan 5, 2018

Seems fine for me, thanks. :-)

Pixelschleuder commented Jan 5, 2018

Seems fine for me, thanks. :-)

@wanjunzh wanjunzh closed this Jan 8, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment