Fix arbitrary code execution flaw in Active Response

[vikman90]

Affected versions	Module	Component	Cause	Credits
3.6.1 - 3.13.5, 4.0.0 - 4.2.7, 4.3.0 - 4.3.7	Active Response	Agent & manager	#1217	All credits to Roshan Guragain

Thanks to Roshan Guragain for reporting the flaw and helping us improve the product!

Flaw

References to a parent folder are possible in a custom AR API request:

Method	Endpoint	Data
PUT	/active-response	{"command":"!../../../../../../bin/ls"}

Impact

A manager administrator with RBAC permissions active-response:command might execute a program outside the Active Response binary folder (/var/ossec/active-response/bin).

• In versions below 4.2.0, the target command would receive the extra arguments (extra_args) as a command-line parameter list.
• In 4.2.0 and higher, the target command receives all data (including the extra arguments) in a JSON string via standard input.

Agents from 3.6.1 to 4.1.5

Running a custom Active Response with these parameters:

Command	Custom	Arguments
../../../../root/test.sh	true	[arg1, arg2, arg3]

This will cause the agent to run /root/test.sh with the following arguments:

/var/ossec/active-response/bin/../../../../root/test.sh add arg1 arg2 arg3

Agents from 4.2.0 to 4.3.7

Running a custom Active Response with these parameters:

Command	Arguments
!../../../../root/test.sh	[arg1, arg2, arg3]

This will cause the agent to run /root/test.sh with no extra arguments, but the agent will send the following string via stdin:

{"version":1,"origin":{"name":null,"module":"wazuh-execd"},"command":"add","parameters":{"extra_args":["arg1","arg2","arg3"],"alert":{},"program":"active-response/bin/../../../../root/test.sh"}}

Proposed fix

We're implementing protection at two levels:

1. Prevent the agent (wazuh-execd) from running a custom AR outside active-response/bin.
2. Filter custom Active Response commands by the API and reject those whose member command contains any reference to a parent folder (../).

Tests

• Send a custom AR command to Execd containing a reference to the parent folder:

echo -n '{"version": 1, "origin": {"name": null, "module": "framework"}, "command": "!../../../../../../bin/ls", "parameters": {"extra_args": [], "alert": {}}}' | nc -w0 -Uu /var/ossec/queue/alerts/execq

2022/09/05 14:48:51 wazuh-execd[6848] exec.c:163 at GetCommandbyName(): WARNING: Active response command '../../../../../../bin/ls' vulnerable to directory traversal attack. Ignoring.
2022/09/05 14:48:51 wazuh-execd[6848] execd.c:465 at ExecdStart(): ERROR: (1311): Invalid command name '!../../../../../../bin/ls' provided.

• Unit tests to check that GetCommandbyName rejects custom commands with path traversal.
• The API rejects custom ARs with commands referring to the parent folder:

curl -H "Content-Type: application/json" -X PUT https://localhost:55000/active-response?agents_list=001 --data '{"command":"!../../../../../../bin/ls"}'

{"title": "Bad Request", "detail": "'!../../../../../../bin/l' is not a 'active_response_command' - 'command'"}

[chemamartinez]

LGTM!

[jmv74211]

QA review

• Type: Manual testing.
• Status: Approved but proposed improvements 🟡
• Testing issue: QA testing - Fix arbitrary code execution flaw in Active Response wazuh-qa#3257
• Comments: Everything seems to be working properly. The following issue Improve consistency between API response messages and the active response socket #14831 has been opened for:
  • Improve consistency between AR socket response and API when entering a custom command. Some commands are accepted in the socket but not through the API.
  • Delete duplicate WARNING message.