Unauthenticated OS Command Injection in stamparm/maltrail in stamparm/maltrail

Valid

Reported on

Feb 24th 2023


Description

Maltrail <= v0.54 is vulnerable to unauthenticated OS command injection during the login process.

Summary

The subprocess.check_output function in mailtrail/core/http.py contains a command injection vulnerability in the params.get("username")parameter.

An attacker can exploit this vulnerability by injecting arbitrary OS commands into the username parameter. The injected commands will be executed with the privileges of the running process. This vulnerability can be exploited remotely without authentication.

Proof of Concept

curl 'http://hostname:8338/login' \
  --data 'username=;`id > /tmp/bbq`'

Impact

Arbitrary command execution

Occurrences

We are processing your report and will contact the stamparm/maltrail team within 24 hours. 9 months ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 9 months ago
Chris Wild
9 months ago

Researcher


@admin

I reached out to the maintainer via email. He validated the vulnerability and committed a fix. https://github.com/stamparm/maltrail/commit/a299967318cc226c18a6a07d1be708e3f21edd39

Ben Harvie validated this vulnerability 9 months ago
Chris Wild has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Ben Harvie
9 months ago

Admin


I have validated the report but we will need maintainer validation on the fix as this repository is eligible for a CVE.

Pavlos
9 months ago

Admin


Would you rather we published without a CVE or do you want to wait for the maintainer @Chris?

Pavlos marked this as fixed in 0.55 with commit a29996 9 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Pavlos published this vulnerability 9 months ago
httpd.py#L399 has been validated
Pavlos
9 months ago

Admin


Facilitated completely in private

to join this conversation