FUN WITH LINUX

FIWARE Keyrock: Command Injection in Applicationname

12 August 2024

Identifier: AIT-SA-20240514-04
Target: FIWARE Keyrock
Vendor: FIWARE
Version: all versions including 8.4
CVE: CVE-2024-42166
Accessibility: Remote
Severity: Critical (9.1)
Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology)

Summary

The function generate_app_certificates in lib/app_certificates.js in all versions of FIWARE Keyrock including 8.4 does not neutralize special elements used in an OS Command properly. This allows an authenticated user with permissions to create applications to execute commands by creating an application with a malicious name.

Proof of Concept

In file lib/app_certificates.js there is a command execution that invokes openssl. By modifying the application name, it is possible to injection malicious commands:

Code that shows interpolation in a command-line-string

By adding an application as an authenticated user, it is possible to inject a command using a forged application name:

Screenshot shows steps to the command injection

As soon as we send this form to the server, the following command will be executed:

Screenshot shows the command-line string with command injection

To confirm that the injected command was executed, we can check the filesystem:

Screenshot shows the created file in the filesystem. Injection worked

Vulnerable Versions

All versions including 8.4 are affected.

Tested Versions

FIWARE Keyrock 8.4

Impact

An authenticated user with permissions to create applications could inject shell commands by creating an application with a malicious name.

Mitigation

Currently (August 12th, 2024) there is no known mitigation.

Vendor Contact Timeline

2023-12-19 Initial contact with FIWARE
2024-03-01 Asked again about the status
2024-08-12 Public disclosure

Advisory URL

https://pentest.ait.ac.at/security-advisory/fiware-keyrock-command-injection-in-applicationname/

[ Programming  Web  Security  Ruby  Rails  CVE  ]
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution 3.0 Unported License.

Copyright 2015-present Hoti