FUN WITH LINUX

FIWARE Keyrock: Command Injection in Organisationname

12 August 2024

Identifier: AIT-SA-20240514-04
Target: FIWARE Keyrock
Vendor: FIWARE
Version: all versions including 8.4
CVE: CVE-2024-42167
Accessibility: Remote
Severity: Critical (9.1)
Author: Wolfgang Hotwagner (AIT Austrian Institute of Technology)

Summary

The function generate_app_certificates in controllers/saml2/saml2.js in all versions of FIWARE Keyrock including 8.4 does not neutralize special elements used in an OS Command properly. This allows an authenticated user with permissions to create applications to execute commands by creating an application with a malicious organisationname.

Proof of Concept

In file controllers/saml2/saml2.js there is a command execution that invokes openssl. By modifying the organisation name, it is possible to injection malicious commands. The following screenshot illustrates the organisationname that is simply concated to draft a command:

Code that shows interpolation in a command-line-string

For further information see Command Injection in Applicationname

Vulnerable Versions

All versions including 8.4 are affected.

Tested Versions

FIWARE Keyrock 8.4

Impact

An authenticated user with permissions to create applications could inject shell commands by creating an application with a malicious organisationname.

Mitigation

Currently (August 12th, 2024) there is no known mitigation.

Vendor Contact Timeline

2023-12-19 Initial contact with FIWARE
2024-03-01 Asked again about the status
2024-08-12 Public disclosure

Advisory URL

https://pentest.ait.ac.at/security-advisory/fiware-keyrock-command-injection-in-organisationname/

[ Programming  Web  Security  Ruby  Rails  CVE  ]
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution 3.0 Unported License.

Copyright 2015-present Hoti