Headline
CVE-2022-41945: RCE Vulnerability in URL input
super-xray is a vulnerability scanner (xray) GUI launcher. In version 0.1-beta, the URL is not filtered and directly spliced ??into the command, resulting in a possible RCE vulnerability. Users should upgrade to super-xray 0.2-beta.
Severity
- 安全级别:Moderate
- 攻击向量:本地
- 攻击复杂度:低
- 需要权限:高
- 用户交互:需要
- 范围:无更改
- 机密性影响:高
- 完整性影响:高
- 可用性影响:高
Vendor
super-xray
Versions Affected
0.1-beta
Description
URL没有过滤直接拼接到命令中,导致存在可能的RCE漏洞
过程代码如下:
public void initActiveScan() {
logger.info("init active scan module");
activeScanButton.addActionListener(e -> {
try {
refreshOutput();
xrayCmd.setModule("webscan");
xrayCmd.setConfig(String.format("--config %s", configPath));
String finalCmd = xrayCmd.buildCmd();
outputTextArea.setText(null);
execAndFresh(finalCmd);
} catch (Exception ex) {
ex.printStackTrace();
}
});
}
private void execAndFresh(String finalCmd) {
outputTextArea.setText(null);
Thread thread = new Thread(() -> {
try {
InputStream inputStream = ExecUtil.execCmdGetStream(finalCmd);
if (inputStream == null) {
return;
}
BufferedReader isReader = new BufferedReader(new InputStreamReader(inputStream));
String thisLine;
while ((thisLine = isReader.readLine()) != null) {
outputTextArea.append(thisLine);
outputTextArea.append("\\n");
outputTextArea.setCaretPosition(outputTextArea.getText().length());
}
} catch (Exception ex) {
ex.printStackTrace();
}
});
thread.start();
threadPool.add(thread);
}
public static InputStream execCmdGetStream(String cmd) {
if (OSUtil.isWindows()) {
String\[\] xrayCmd = new String\[\]{"cmd.exe", "/c", String.format("%s", cmd)};
return execGetStream(xrayCmd);
} else {
String\[\] xrayCmd = new String\[\]{"/bin/bash", "-c", String.format("%s", cmd)};
return execGetStream(xrayCmd);
}
}
Mitigation
users should upgrade to super-xray 0.2-beta
Credit
This issue has no credit