Code Injection in yogeshojha/rengine

Valid

Reported on

Sep 30th 2021

Description

RCE via the YAML configuration of reNgine. In this configuration, the settings of the tools used in scans can be adapted. This functionality can be abused to executy arbitrary code.

PoC

In the yaml configuration of reNgine, edit the extensions field of dir_file_search to make it look like this:

extensions: [";echo TEST1234"]

Then, start a scan with any scan engine that includes subdomain discovery and directory search. The subdomain scan must return valid, alive subdomains in order for the directory searching to begin. Then, watch the logs and the dirsearch usage should be printed, with TEST1234 echo'd multiple times in the logs.

Impact

An attacker can execute arbitrary commands on the system.

Suggested fix

Do not trust user controlled data and do not directly inject it into the command. You should check inputted extensions on an allowlist, and reject any which do not conform to the allow list.

Location

https://github.com/yogeshojha/rengine/blob/83e6d6716289212e611145ec68c32199e25a31e6/web/reNgine/tasks.py#L861

https://github.com/yogeshojha/rengine/blob/83e6d6716289212e611145ec68c32199e25a31e6/web/reNgine/tasks.py#L892

https://github.com/yogeshojha/rengine/blob/83e6d6716289212e611145ec68c32199e25a31e6/web/reNgine/tasks.py#L922

We have contacted a member of the yogeshojha/rengine team and are waiting to hear back 2 years ago

Yogesh Ojha

commented 2 years ago

Maintainer

Hi,

Correct me if I am wrong, but shouldn't this be intentional? That is how engine configuration from YAML becomes a command-line args for the tools we are using.

Exploitability is very less likely.

I am not closing this as N/A but can you please explain how do we deliver this payload and what could be the possible fixes?

We have sent a third and final follow up to the yogeshojha/rengine team. This report is now considered stale. 2 years ago

A yogeshojha/rengine maintainer has acknowledged this report 2 years ago

Yogesh Ojha validated this vulnerability 2 years ago

Koen Molenaar has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Yogesh Ojha

commented 2 years ago

Maintainer

Congratulations on your bounty and I appreciate your patience.

This has been fixed.

Yogesh Ojha marked this as fixed in 1.2.0 with commit 735624 2 years ago

Yogesh Ojha has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation

We have contacted a member of the yogeshojha/rengine team and are waiting to hear back 2 years ago

Yogesh Ojha

commented 2 years ago

Maintainer

Hi,

Correct me if I am wrong, but shouldn't this be intentional? That is how engine configuration from YAML becomes a command-line args for the tools we are using.

Exploitability is very less likely.

I am not closing this as N/A but can you please explain how do we deliver this payload and what could be the possible fixes?

We have sent a third and final follow up to the yogeshojha/rengine team. This report is now considered stale. 2 years ago

A yogeshojha/rengine maintainer has acknowledged this report 2 years ago

Yogesh Ojha validated this vulnerability 2 years ago

Koen Molenaar has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Yogesh Ojha

commented 2 years ago

Maintainer

Congratulations on your bounty and I appreciate your patience.

This has been fixed.

Yogesh Ojha marked this as fixed in 1.2.0 with commit 735624 2 years ago

Yogesh Ojha has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation