Command Injection in yogeshojha/rengine

Valid

Reported on

Sep 1st 2021

✍️ Description

RCE via the proxy feature of Rengine. Proxies can be added in Rengine for executables like httpx to use in a scan. This functionality can be used to inject a command and run arbitrary code.

🕵️‍♂️ Proof of Concept

Add this as the only proxy in the proxy list in the Proxy settings: ';echo RCE_IN_RENGINE', including the quotes. Then start a subdomain-only scan against a random target. Then watch the logs and after httpx is executed, RCE_IN_RENGINE should appear into the logs at the beginning of the line that ends with -json -o /usr/src/scan_results/$results_dir/httpx.json. This is a simple & harmless PoC.

💥 Impact

An attacker can execute arbitrary commands on the system.

Suggested fix

Validate that added proxies are valid HTTP URLs before adding them to the database.

We have contacted a member of the yogeshojha/rengine team and are waiting to hear back 10 months ago
Yogesh Ojha validated this vulnerability 10 months ago
Koen Molenaar has been awarded the disclosure bounty
The fix bounty is now up for grabs
Yogesh Ojha
10 months ago

Maintainer

I thought about this for some time on how we can fix it. Your idea seems to be great however I am not able to come up with a valid regex for all proxies. Do you have any idea, on how we can mitigate this?

Koen Molenaar
10 months ago

Researcher

I don't think you need regex, you can probably use the validators package to validate the proxies as URLs, in the same way as you validate that the domain name of a target is an actual domain.

Yogesh Ojha confirmed that a fix has been merged on 8fed51 a month ago
The fix bounty has been dropped
Yogesh Ojha gave praise a month ago
Thank you for reporting this. This has been fixed and acknowledged in security.md. https://github.com/yogeshojha/rengine/commit/8fed51a443503c0d2df659d859f806b54f2e6c09 Thanks again
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
to join this conversation