search

liftoff / GateOne

Gate One is an HTML5-powered terminal emulator and SSH client
http://liftoffsoftware.com/Products/GateOne
Other
6.28k stars 925 forks source link

An RCE Security vulnerability #736

Open glzjin opened 5 years ago

glzjin commented 5 years ago

In this file https://github.com/liftoff/GateOne/blob/master/gateone/applications/terminal/plugins/ssh/ssh.py#L586

There is a command execution and the argument comes from user input.

image

Poc:

  1. Deploy a GateOne instance.

https://github.com/liftoff/GateOne/issues/703

image

image

  1. Open the dev tool in your browser, open the GateOne page.

image

  1. Try to create an ssh connection. And watch the WebSocket traffic, wait for the 'terminal:ssh_get_host_fingerprint' command executes.

image

  1. Now we can switch the dev tool to console, and input this JavaScript script to let GateOne WebSocket send Our evil command. We can see that we get the command execution result from the error message.
GateOne.ws.send('{"terminal:ssh_get_host_fingerprint":{"host":"node1.buuoj.cn","port":"28030;cat /etc/passwd;"}}')

image

neingeist commented 2 years ago

shouldn't this be addressed?