Skip to content

Remote code execution in Message sending functionality

Critical
Unknown published GHSA-rrhh-rcgp-q2m2 Apr 29, 2020

Package

intelmq-manager

Affected versions

>= 1.1.0, < 2.1.1

Patched versions

2.1.1

Description

Impact

@bernhard-herzog (@Intevation) discovered that the backend incorrectly handled messages given by user-input in the "send" functionality of the Inspect-tool of the Monitor component. An attacker with access to the IntelMQ Manager could possibly use this issue to execute arbitrary code with the privileges of the webserver.

The CWE classification is CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Patches

IntelMQ Manager version 2.1.1 fixes the vulnerability.

It is also possible to apply this patch in situ:

patch path/to/intelmq-manager/php/controller.php << 'EOF'
@@ -104,7 +104,7 @@
             $arguments .= "message pop";
             break;
         case "send":
-            $arguments .= "message send '" . escapeshellarg(filter_input(INPUT_POST, "msg")) . "'";
+            $arguments .= "message send " . escapeshellarg(filter_input(INPUT_POST, "msg"));
             break;
         case "process":
             $arguments .= "process";
EOF

Workarounds

  • Enforce authentication as documented and
  • Enforce usage with browsers which only can access internal networks (No CSRF prevention yet, see #111)

See docs/INSTALL.md, section "Security considerations"

References

Further information

The issue was found, because SUNET contracted Intevation to fix the missing CSRF protection (#111) and migrate the backend to Python (#80).

While PHP's escapeshellcmd escapes all shell metacharacter, escapeshellarg also puts single quotes around a string and escapes any conflicting characters inside the string. This ensures that the resulting string is always treated as argument by the shell.

The vulnerable code looked like this:

$cmd = $cmd . " send '" . escapeshellarg($user_input) . "'";

The single quotes around the argument are ended by the single quotes added by escapeshellarg. And attacker can thus inject arbitrary commands. The returned stdout and stderr strings are delivered to the user/attacker.

This bug also prevented the usage of the vulnerable functionality, any valid IntelMQ message used in the Inspect Tool of the Monitor page for sending (other related functions like process were not affected).

For more information

If you have any questions or comments about this advisory or IntelMQ Manager, you can:

Severity

Critical

CVE ID

CVE-2020-11016

Weaknesses

No CWEs

Credits