CVE-2022-40497: Fix arbitrary code execution flaw in Active Response by vikman90 · Pull Request #14801 · wazuh/wazuh

Affected versions

Module

Component

Cause

Credits

3.6.1 - 3.13.5, 4.0.0 - 4.2.7, 4.3.0 - 4.3.7

Active Response

Agent & manager

#1217

All credits to Roshan Guragain

Thanks to Roshan Guragain for reporting the flaw and helping us improve the product!

Flaw

References to a parent folder are possible in a custom AR API request:

Method

Endpoint

Data

PUT

/active-response

{"command":"!../…/…/…/…/…/bin/ls"}

Impact

A manager administrator with RBAC permissions active-response:command might execute a program outside the Active Response binary folder (/var/ossec/active-response/bin).

• In versions below 4.2.0, the target command would receive the extra arguments (extra_args) as a command-line parameter list.
• In 4.2.0 and higher, the target command receives all data (including the extra arguments) in a JSON string via standard input.

Agents from 3.6.1 to 4.1.5

Running a custom Active Response with these parameters:

Command

Custom

Arguments

…/…/…/…/root/test.sh

true

[arg1, arg2, arg3]

This will cause the agent to run /root/test.sh with the following arguments:

/var/ossec/active-response/bin/…/…/…/…/root/test.sh add arg1 arg2 arg3

Agents from 4.2.0 to 4.3.7

Running a custom Active Response with these parameters:

Command

Arguments

!../…/…/…/root/test.sh

[arg1, arg2, arg3]

This will cause the agent to run /root/test.sh with no extra arguments, but the agent will send the following string via stdin:

{"version":1,"origin":{"name":null,"module":"wazuh-execd"},"command":"add","parameters":{"extra_args":[“arg1","arg2","arg3”],"alert":{},"program":"active-response/bin/…/…/…/…/root/test.sh"}}

Proposed fix

We’re implementing protection at two levels:

1. Prevent the agent (wazuh-execd) from running a custom AR outside active-response/bin.
2. Filter custom Active Response commands by the API and reject those whose member command contains any reference to a parent folder (…/).

Tests

• Send a custom AR command to Execd containing a reference to the parent folder:

echo -n ‘{"version": 1, "origin": {"name": null, "module": "framework"}, "command": "!../…/…/…/…/…/bin/ls", "parameters": {"extra_args": [], "alert": {}}}’ | nc -w0 -Uu /var/ossec/queue/alerts/execq

2022/09/05 14:48:51 wazuh-execd[6848] exec.c:163 at GetCommandbyName(): WARNING: Active response command '../../../../../../bin/ls' vulnerable to directory traversal attack. Ignoring.
2022/09/05 14:48:51 wazuh-execd[6848] execd.c:465 at ExecdStart(): ERROR: (1311): Invalid command name '!../../../../../../bin/ls' provided.

• Unit tests to check that GetCommandbyName rejects custom commands with path traversal.
• The API rejects custom ARs with commands referring to the parent folder:

curl -H “Content-Type: application/json” -X PUT https://localhost:55000/active-response?agents_list=001 --data ‘{"command":"!../…/…/…/…/…/bin/ls"}’

{"title": "Bad Request", "detail": "'!../../../../../../bin/l' is not a 'active_response_command' - 'command'"}