Headline
CVE-2020-36642: Privilege escalation using cputime parameter and runguard · Issue #39 · trampgeek/jobe
A vulnerability was found in trampgeek jobe up to 1.6.x and classified as critical. This issue affects the function run_in_sandbox of the file application/libraries/LanguageTask.php. The manipulation leads to command injection. Upgrading to version 1.7.0 is able to address this issue. The name of the patch is 8f43daf50c943b98eaf0c542da901a4a16e85b02. It is recommended to upgrade the affected component. The identifier VDB-217553 was assigned to this vulnerability.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Closed
myyxl opened this issue
Nov 18, 2020
· 2 comments
Closed
Privilege escalation using cputime parameter and runguard #39
myyxl opened this issue
Nov 18, 2020
· 2 comments
Comments
Copy link
Contributor
****myyxl** commented Nov 18, 2020 •**
Hello,
i have found a bug that can lead to a privilege escalation.
Most of the input which the user can control is escaped using escapeshellarg but using the cputime parameter which is not escaped you can create a command injection which leads to a privilege escalation.
Here you can see that cputime is not escaped and is directly set into the sandox command which is executed by the user www-data.
Once you have access to the webroot you can patch runguard to accept root as a valid user and execute commands as root.
I have also a proof-of-concept script but I won’t upload it here for security reasons.
If there are any further questions, I’ll be happy to help.
Sincerely,
Marlon
trampgeek added a commit that referenced this issue
Nov 20, 2020
issue #39 (#39). Thanks Marlon (myxxl).
Hi Marlon.
Many thanks for finding and reporting the vulnerability. Thanks for the fix, too, though I’ve chosen to run with a slight variant on your code. I’ve modified getParam so that if a supplied parameter is non-numeric and the default parameter is numeric, the default is used. Change pushed to github. Please confirm that my change addresses that issue (and any similar ones).
Thanks again
Richard
Copy link
Contributor Author
****myyxl** commented Nov 20, 2020**
Hi Richard,
the fix you made works. Command Injections aren’t possible anymore using the cputime parameter.
Thanks for the quick response!
Sincerely,
Marlon
2 participants