Code Injection in yogeshojha/rengine

Valid

Reported on

Sep 30th 2021


Description

RCE via the YAML configuration of reNgine. In this configuration, the settings of the tools used in scans can be adapted. This functionality can be abused to executy arbitrary code.

PoC

In the yaml configuration of reNgine, edit the extensions field of dir_file_search to make it look like this:

extensions: [";echo TEST1234"]

Then, start a scan with any scan engine that includes subdomain discovery and directory search. The subdomain scan must return valid, alive subdomains in order for the directory searching to begin. Then, watch the logs and the dirsearch usage should be printed, with TEST1234 echo'd multiple times in the logs.

Impact

An attacker can execute arbitrary commands on the system.

Suggested fix

Do not trust user controlled data and do not directly inject it into the command. You should check inputted extensions on an allowlist, and reject any which do not conform to the allow list.

Location

https://github.com/yogeshojha/rengine/blob/83e6d6716289212e611145ec68c32199e25a31e6/web/reNgine/tasks.py#L861

https://github.com/yogeshojha/rengine/blob/83e6d6716289212e611145ec68c32199e25a31e6/web/reNgine/tasks.py#L892

https://github.com/yogeshojha/rengine/blob/83e6d6716289212e611145ec68c32199e25a31e6/web/reNgine/tasks.py#L922

We have contacted a member of the yogeshojha/rengine team and are waiting to hear back 9 months ago
Yogesh Ojha
9 months ago

Maintainer


Hi,

Correct me if I am wrong, but shouldn't this be intentional? That is how engine configuration from YAML becomes a command-line args for the tools we are using.

Exploitability is very less likely.

I am not closing this as N/A but can you please explain how do we deliver this payload and what could be the possible fixes?

We have sent a third and final follow up to the yogeshojha/rengine team. This report is now considered stale. 8 months ago
yogeshojha/rengine maintainer has acknowledged this report a month ago
Yogesh Ojha validated this vulnerability a month ago
Koen Molenaar has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Yogesh Ojha
a month ago

Maintainer


Congratulations on your bounty and I appreciate your patience.

This has been fixed.

Yogesh Ojha confirmed that a fix has been merged on 735624 a month ago
Yogesh Ojha has been awarded the fix bounty
to join this conversation