search

Code-Racing / brickyard

0 stars 0 forks source link

CONTRAST: OS Command Injection from Untrusted Sources on "/command_injection/childprocess_exec" page #4

Open valvolineford opened 5 years ago

valvolineford commented 5 years ago

Vulnerability ID: N5U2-AUF2-3GQ4-XKZP

Application Name: AgentMessageGeneratorNode

Vulnerability Link: http://localhost:19080/Contrast/static/ng/index.html#/7c6cfec5-a187-4d5e-984a-d11d96d2ef63/applications/d944b35a-2925-43da-a27b-0fa1fac7d8aa/vulns/N5U2-AUF2-3GQ4-XKZP

What Happened?

We tracked the following data from Untrusted Sources:

GET /command_injection/childprocess_exec?user_path=.%2F

...which was accessed within the following code:

Layer.handle(), line 96

...and ended up in this command statement:

ls -l ./

What's the risk?

The application takes data from the user and uses it to build a system command. A malicious user could provide data that escaped the existing command and issued new ones. It's also possible they cause the existing command to behave maliciously.

Recommendation

First Event


Stack:
  (/app/vulnerabilities/command_injection/index.js:15)
  Layer.handle(/app/node_modules/express/lib/router/layer.js:96)
  next(/app/node_modules/express/lib/router/route.js:138)
  Route.dispatch(/app/node_modules/express/lib/router/route.js:113)
  Layer.handle(/app/node_modules/express/lib/router/layer.js:96)
  (/app/node_modules/express/lib/router/index.js:279)
  Function.process_params(/app/node_modules/express/lib/router/index.js:332)
  next(/app/node_modules/express/lib/router/index.js:273)
  Function.handle(/app/node_modules/express/lib/router/index.js:176)
  router(/app/node_modules/express/lib/router/index.js:48)
  Layer.handle(/app/node_modules/express/lib/router/layer.js:96)
  trim_prefix(/app/node_modules/express/lib/router/index.js:314)
  (/app/node_modules/express/lib/router/index.js:282)
  Function.process_params(/app/node_modules/express/lib/router/index.js:332)
  next(/app/node_modules/express/lib/router/index.js:273)

Last Event


Stack:
  (/app/vulnerabilities/command_injection/index.js:23)
  Layer.handle(/app/node_modules/express/lib/router/layer.js:96)
  next(/app/node_modules/express/lib/router/route.js:138)
  Route.dispatch(/app/node_modules/express/lib/router/route.js:113)
  Layer.handle(/app/node_modules/express/lib/router/layer.js:96)
  (/app/node_modules/express/lib/router/index.js:279)
  Function.process_params(/app/node_modules/express/lib/router/index.js:332)
  next(/app/node_modules/express/lib/router/index.js:273)
  Function.handle(/app/node_modules/express/lib/router/index.js:176)
  router(/app/node_modules/express/lib/router/index.js:48)
  Layer.handle(/app/node_modules/express/lib/router/layer.js:96)
  trim_prefix(/app/node_modules/express/lib/router/index.js:314)

HTTP Request

GET http://20.42.27.158:8004/command_injection/childprocess_exec?user_path=.%2F HTTP/1.1 Accept-Encoding: identity Cookie: connect.sid=s%3AiW8K8GCLWnXK423tjeX-S1muQw1vGZbF.%2B2BgINk9J0ZhJDDv47usWqwevl3lv0fAz5KzsgufCWk Host: 20.42.27.158:8004 X-Screener-Uuid: 0f7831c8-d3ae-42ca-a74c-4cf84e49a436

References

https://www.owasp.org/index.php/Top_10_2013-A1-Injection