ghsa-7hpf-g48v-hw3j
Vulnerability from github
Published
2024-11-12 21:28
Modified
2024-11-19 19:38
Severity ?
0.0 (None) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N
7.3 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
Summary
Zoraxy has an authenticated command injection in the Web SSH feature
Details

Summary

A command injection vulnerability in the Web SSH feature allows an authenticated attacker to execute arbitrary commands as root on the host.

Details

Zoraxy has a Web SSH terminal feature that allows authenticated users to connect to SSH servers from their browsers. In HandleCreateProxySession the request to create an SSH session is handled. After checking for the presence of required parameters, ensuring that the target is not the loopback interface and that there is actually an SSH service running on the target, CreateNewConnection is called:

https://github.com/tobychui/zoraxy/blob/e79a70b7acfa45c2445aff9d60e4e7525c89fec8/src/mod/sshprox/sshprox.go#L165-L178

In line 178, the gotty binary is executed running sshCommand from the line above. It contains the user-controlled variable connAddr, which includes the hostname of the SSH server and - if provided - the username. An attacker can exploit the username variable to escape from the bash command and inject arbitrary commands into sshCommand. This is possible, because, unlike hostname and port, the username is not validated or sanitized.

This vulnerability was introduced in https://github.com/tobychui/zoraxy/commit/c07d5f85dfc37bd32819358ed7d4bc32c604e8f0. If Zoraxy is run without authentication of the management interface (started with-noauth), this vulnerability can be exploited without authentication. Additionally, if Zoraxy is run in Docker with the Docker socket mounted (as described in https://github.com/tobychui/zoraxy/blob/9cb315ea6739d1cc201b690322d25166b12dc5db/docker/README.md), this vulnerability can be exploited to escape the Zoraxy container and gain access to the Docker host.

PoC

  1. Download and run Zoraxy as described in the README
  2. Setup a user
  3. Login as user
  4. Navigate to Other -> Network Tools -> Connection
  5. Enter hostname / IP of any server with SSH running, e.g. github.com
  6. Enter ; bash ; as user
  7. Click Connect using SSH
  8. A window will open with bash running on the Zoraxy host

Demo:

https://github.com/user-attachments/assets/5a3d8771-167f-4a79-8665-ed0dfb490181

Impact

This vulnerability allows an authenticated attacker to gain remote code execution with the privileges of the Zoraxy process (root by default). This affects Zoraxy versions 2.6.1 through 3.1.2.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/tobychui/zoraxy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.6.1"
            },
            {
              "fixed": "3.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-52010"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-12T21:28:25Z",
    "nvd_published_at": "2024-11-12T17:15:10Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nA command injection vulnerability in the Web SSH feature allows an authenticated attacker to execute arbitrary commands as root on the host.\n\n### Details\nZoraxy has a Web SSH terminal feature that allows authenticated users to connect to SSH servers from their browsers.\nIn [`HandleCreateProxySession`](https://github.com/tobychui/zoraxy/blob/9cb315ea6739d1cc201b690322d25166b12dc5db/src/webssh.go#L19) the request to create an SSH session is handled. After checking for the presence of required parameters, ensuring that the target is not the loopback interface and that there is actually an SSH service running on the target, `CreateNewConnection` is called:\n\nhttps://github.com/tobychui/zoraxy/blob/e79a70b7acfa45c2445aff9d60e4e7525c89fec8/src/mod/sshprox/sshprox.go#L165-L178\n\nIn line 178, the `gotty` binary is executed running `sshCommand` from the line above. It contains the user-controlled variable `connAddr`, which includes the hostname of the SSH server and - if provided - the username.\nAn attacker can exploit the `username` variable to escape from the `bash` command and inject arbitrary commands into `sshCommand`. This is possible, because, unlike hostname and port, the username is not validated or sanitized.\n\nThis vulnerability was introduced in https://github.com/tobychui/zoraxy/commit/c07d5f85dfc37bd32819358ed7d4bc32c604e8f0.\nIf Zoraxy is run without authentication of the management interface (started with`-noauth`), this vulnerability can be exploited without authentication.\nAdditionally, if Zoraxy is run in Docker with the Docker socket mounted (as described in https://github.com/tobychui/zoraxy/blob/9cb315ea6739d1cc201b690322d25166b12dc5db/docker/README.md), this vulnerability can be exploited to escape the Zoraxy container and gain access to the Docker host.\n\n### PoC\n1. Download and run Zoraxy as described in the [README](https://github.com/tobychui/zoraxy/blob/9a371f5bcbccce0918c61621f3b26ee549e01b90/README.md#standalone-mode)\n2. Setup a user\n3. Login as user\n4. Navigate to Other -\u003e Network Tools -\u003e Connection\n5. Enter hostname / IP of any server with SSH running, e.g. `github.com`\n6. Enter `; bash ;` as user\n7. Click `Connect using SSH`\n8. A window will open with `bash` running on the Zoraxy host\n\nDemo:\n\nhttps://github.com/user-attachments/assets/5a3d8771-167f-4a79-8665-ed0dfb490181\n\n### Impact\nThis vulnerability allows an authenticated attacker to gain remote code execution with the privileges of the Zoraxy process (root by default). This affects Zoraxy versions 2.6.1 through 3.1.2.",
  "id": "GHSA-7hpf-g48v-hw3j",
  "modified": "2024-11-19T19:38:19Z",
  "published": "2024-11-12T21:28:25Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tobychui/zoraxy/security/advisories/GHSA-7hpf-g48v-hw3j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52010"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tobychui/zoraxy/commit/2e9bc77a5d832bff1093058d42ce7a61382e4bc6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tobychui/zoraxy/commit/c07d5f85dfc37bd32819358ed7d4bc32c604e8f0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tobychui/zoraxy"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2024-3267"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Zoraxy has an authenticated command injection in the Web SSH feature"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.