Impact
@bernhard-herzog (@Intevation) discovered that the backend incorrectly handled messages given by user-input in the "send" functionality of the Inspect-tool of the Monitor component. An attacker with access to the IntelMQ Manager could possibly use this issue to execute arbitrary code with the privileges of the webserver.
The CWE classification is CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Patches
IntelMQ Manager version 2.1.1 fixes the vulnerability.
It is also possible to apply this patch in situ:
patch path/to/intelmq-manager/php/controller.php << 'EOF'
@@ -104,7 +104,7 @@
$arguments .= "message pop";
break;
case "send":
- $arguments .= "message send '" . escapeshellarg(filter_input(INPUT_POST, "msg")) . "'";
+ $arguments .= "message send " . escapeshellarg(filter_input(INPUT_POST, "msg"));
break;
case "process":
$arguments .= "process";
EOF
Workarounds
- Enforce authentication as documented and
- Enforce usage with browsers which only can access internal networks (No CSRF prevention yet, see #111)
See docs/INSTALL.md, section "Security considerations"
References
Further information
The issue was found, because SUNET contracted Intevation to fix the missing CSRF protection (#111) and migrate the backend to Python (#80).
While PHP's escapeshellcmd
escapes all shell metacharacter, escapeshellarg
also puts single quotes around a string and escapes any conflicting characters inside the string. This ensures that the resulting string is always treated as argument by the shell.
The vulnerable code looked like this:
$cmd = $cmd . " send '" . escapeshellarg($user_input) . "'";
The single quotes around the argument are ended by the single quotes added by escapeshellarg
. And attacker can thus inject arbitrary commands. The returned stdout and stderr strings are delivered to the user/attacker.
This bug also prevented the usage of the vulnerable functionality, any valid IntelMQ message used in the Inspect Tool of the Monitor page for sending (other related functions like process were not affected).
For more information
If you have any questions or comments about this advisory or IntelMQ Manager, you can:
Impact
@bernhard-herzog (@Intevation) discovered that the backend incorrectly handled messages given by user-input in the "send" functionality of the Inspect-tool of the Monitor component. An attacker with access to the IntelMQ Manager could possibly use this issue to execute arbitrary code with the privileges of the webserver.
The CWE classification is CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Patches
IntelMQ Manager version 2.1.1 fixes the vulnerability.
It is also possible to apply this patch in situ:
Workarounds
See docs/INSTALL.md, section "Security considerations"
References
Further information
The issue was found, because SUNET contracted Intevation to fix the missing CSRF protection (#111) and migrate the backend to Python (#80).
While PHP's
escapeshellcmd
escapes all shell metacharacter,escapeshellarg
also puts single quotes around a string and escapes any conflicting characters inside the string. This ensures that the resulting string is always treated as argument by the shell.The vulnerable code looked like this:
The single quotes around the argument are ended by the single quotes added by
escapeshellarg
. And attacker can thus inject arbitrary commands. The returned stdout and stderr strings are delivered to the user/attacker.This bug also prevented the usage of the vulnerable functionality, any valid IntelMQ message used in the Inspect Tool of the Monitor page for sending (other related functions like process were not affected).
For more information
If you have any questions or comments about this advisory or IntelMQ Manager, you can: