Command Injection in yogeshojha/rengine
Reported on
Sep 1st 2021
✍️ Description
RCE via the proxy feature of Rengine. Proxies can be added in Rengine for executables like httpx to use in a scan. This functionality can be used to inject a command and run arbitrary code.
🕵️♂️ Proof of Concept
Add this as the only proxy in the proxy list in the Proxy settings: ';echo RCE_IN_RENGINE'
, including the quotes. Then start a subdomain-only scan against a random target. Then watch the logs and after httpx is executed, RCE_IN_RENGINE should appear into the logs at the beginning of the line that ends with -json -o /usr/src/scan_results/$results_dir/httpx.json
. This is a simple & harmless PoC.
💥 Impact
An attacker can execute arbitrary commands on the system.
Suggested fix
Validate that added proxies are valid HTTP URLs before adding them to the database.
I thought about this for some time on how we can fix it. Your idea seems to be great however I am not able to come up with a valid regex for all proxies. Do you have any idea, on how we can mitigate this?
I don't think you need regex, you can probably use the validators package to validate the proxies as URLs, in the same way as you validate that the domain name of a target is an actual domain.