search

PiBrewing / craftbeerpi4

GNU General Public License v3.0
58 stars 28 forks source link

Code injection vulnerability on /system/log endpoint #132

Closed pondzikk closed 5 months ago

pondzikk commented 6 months ago

URL GET parameter {logtime} utilized within the downloadlog function from /cbpi/controller/system_controller.py is subsequently passed to the os.system function in /cbpi/http_endpoints/http_system.py without prior validation allowing to execute arbitrary code.

Vulnerability exists from 4.0.0.58 version (563fae9 commit)

avollkopf commented 6 months ago

Unfortunately, I am not an expert nor a professional programmer. I need to look into it and read more details on the topic. Are you referring to changes documented here? Or even better, do you have a proposal on how to fix it with a PR?

Anyhow, it'll take some time.

pondzikk commented 6 months ago

Yes, mentioned mitigations should fix this issue, if i find any free time soon i will test mitigation and make PR.

avollkopf commented 6 months ago

@pondzikk Would a check, if logtime is an integer and below a certain value reduce the risk significantly? This could be a short time solution.

avollkopf commented 6 months ago

@pondzikk please check if quick solution (https://github.com/PiBrewing/craftbeerpi4/commit/57572c777eec1846273f9418e1029568194ecf07) would work as start. Only integer values and a 'b' are now forwarded to the system controller.

pondzikk commented 6 months ago

@pondzikk Would a check, if logtime is an integer and below a certain value reduce the risk significantly? This could be a short time solution.

Yup, it should work.

I haven't checked fixed version in action, but after reading changes in commit i think it would mitigate this issue.

CERT-PL-CNA commented 6 months ago

@avollkopf we have been requested to assign a CVE for that vulnerability. We have reserved CVE-2024-3955 and we will soon publish its details. If you want to consult its content please contact us at our email address.

Best regards CERT.PL CNA

avollkopf commented 5 months ago

Added test branch that is using systemd-python package instead of os.system to read from journal. Tests started, but reading from log is working already and issue should be solved with the usage of the additional package

CERT-PL-CNA commented 5 months ago

The vulnerability was described and published at the following addresses: https://www.cve.org/CVERecord?id=CVE-2024-3955 https://cert.pl/en/posts/2024/05/CVE-2024-3955/

Best regards CERT.PL CNA

avollkopf commented 5 months ago

Closed with aforementioned PR