Impact
It was discovered that the Rudder backend offers an endpoint to upload files to an inventory. When processing such an upload, the endpoint handler reads the files from the request, and uses their name without sanitizing them to persist the uploaded files to the local file system. To upload files, the user must be assigned the user role, having permissions to edit nodes. Furthermore, it was noted that the backend runs as root user and that the backend contains an endpoint to run a debug info script, stored locally on the host running the Rudder backend. The purpose of this debug info script is to gather statistics about all components of Rudder. These circumstances result in a remote code execution vulnerability on the host running the Rudder backend.
In fact, an attacker who corresponds to a user of Rudder having the role user assigned can execute arbitrary code on the Rudder backend via several steps. First, the attacker uploads a shell script to the Rudder backend host by using the inventory upload endpoint. On such an upload, the attacker uses path traversal payloads in the file name to traverse to the built-in debug info script of Rudder, thereby overwriting the existing debug script, and keeping the executable permissions of the file. The attacker ultimately triggers the execution of the script by sending a request to the system/debug/info endpoint of the Rudder API, which consequently runs the attacker's shell script.
Patches
Workarounds
None.
References
Bugtracker :
Impact
It was discovered that the Rudder backend offers an endpoint to upload files to an inventory. When processing such an upload, the endpoint handler reads the files from the request, and uses their name without sanitizing them to persist the uploaded files to the local file system. To upload files, the user must be assigned the user role, having permissions to edit nodes. Furthermore, it was noted that the backend runs as root user and that the backend contains an endpoint to run a debug info script, stored locally on the host running the Rudder backend. The purpose of this debug info script is to gather statistics about all components of Rudder. These circumstances result in a remote code execution vulnerability on the host running the Rudder backend.
In fact, an attacker who corresponds to a user of Rudder having the role user assigned can execute arbitrary code on the Rudder backend via several steps. First, the attacker uploads a shell script to the Rudder backend host by using the inventory upload endpoint. On such an upload, the attacker uses path traversal payloads in the file name to traverse to the built-in debug info script of Rudder, thereby overwriting the existing debug script, and keeping the executable permissions of the file. The attacker ultimately triggers the execution of the script by sending a request to the system/debug/info endpoint of the Rudder API, which consequently runs the attacker's shell script.
Patches
Workarounds
None.
References
Bugtracker :