Command Injection in yogeshojha/rengine

Valid

Reported on

Sep 1st 2021


✍️ Description

RCE via the proxy feature of Rengine. Proxies can be added in Rengine for executables like httpx to use in a scan. This functionality can be used to inject a command and run arbitrary code.

🕵️‍♂️ Proof of Concept

Add this as the only proxy in the proxy list in the Proxy settings: ';echo RCE_IN_RENGINE', including the quotes. Then start a subdomain-only scan against a random target. Then watch the logs and after httpx is executed, RCE_IN_RENGINE should appear into the logs at the beginning of the line that ends with -json -o /usr/src/scan_results/$results_dir/httpx.json. This is a simple & harmless PoC.

💥 Impact

An attacker can execute arbitrary commands on the system.

Suggested fix

Validate that added proxies are valid HTTP URLs before adding them to the database.

We have contacted a member of the yogeshojha/rengine team and are waiting to hear back 2 years ago
Yogesh Ojha validated this vulnerability 2 years ago
k0enm has been awarded the disclosure bounty
The fix bounty is now up for grabs
Yogesh Ojha
2 years ago

Maintainer


I thought about this for some time on how we can fix it. Your idea seems to be great however I am not able to come up with a valid regex for all proxies. Do you have any idea, on how we can mitigate this?

Koen Molenaar
2 years ago

Researcher


I don't think you need regex, you can probably use the validators package to validate the proxies as URLs, in the same way as you validate that the domain name of a target is an actual domain.

Yogesh Ojha marked this as fixed in 1.2.0 with commit 8fed51 2 years ago
The fix bounty has been dropped
Yogesh Ojha gave praise 2 years ago
Thank you for reporting this. This has been fixed and acknowledged in security.md. https://github.com/yogeshojha/rengine/commit/8fed51a443503c0d2df659d859f806b54f2e6c09 Thanks again
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
to join this conversation