CVE-2022-0848 - OS Command Injection Vulnerability in GitHub Repository Part-DB/Part-DB Prior to Version .5.11 and Remediation Steps
A recently discovered vulnerability (CVE-2022-0848) has the potential to affect many users of the Part-DB/Part-DB repository on GitHub. This repository is a popular tool that provides an electronic parts inventory management system. The vulnerability lies in the code, which allows an attacker to execute arbitrary OS commands through a specifically crafted request. This post will outline the details of this vulnerability, including the affected version, the vulnerable code snippet, links to original references, and information on how to exploit and remediate it.
Vulnerable Version
The vulnerability affects Part-DB/Part-DB versions prior to .5.11. It is essential to update to the latest version of the software to mitigate this vulnerability.
Vulnerable Code Snippet
The vulnerability exists in the "label_zebra.php" file located in the "lib\.." directory of the affected software. The vulnerable code snippet is shown below.
// (File: lib\label_printing\label_zebra.php)
$align = ($label["align"] == ALIGN_LEFT) ? '' : '2';
$barcode = '';
$text = '';
if (isset($_GET['barcode']) && $_GET['barcode'] == '1') {
$barcode = '^B3N,N,20,N,N^FD' . esc($label['name']) . '^FS';
} else {
$text = '^FT10,20^AN,20,20^FD' . esc($label['name']) . '^FS';
}
$zpl = "^XA^CF,60,60^FO10,10^GB700,100,1,3,45,B^FS^BY1,3.^JMA^POI^SC.ascii^MD" . esc($_GET['density']) . "^CX.config^LR5^LH,64^PJ30.5,24^FPe^FX";
$output = shell_exec("echo \"$zpl\" | lpr -P $printer_name");
In the above code snippet, the shell_exec() function is used to execute an OS command. However, user input from the $_GET['density'] parameter is not sanitized before it is passed to the shell_exec() function, leading to a potential OS command injection vulnerability.
The original advisory for this vulnerability is available at the following link
- CVE-2022-0848 Security Advisory
Exploit Details
An attacker could exploit this vulnerability by submitting a crafted GET request containing OS commands in the 'density' parameter, as shown below.
http://example.com/path/to/part-db/lib/label_printing/label_zebra.php?density=;&[YOUR_COMMAND_HERE];\";
This request will cause the attacker's command to be executed when the vulnerable code above is called.
Remediation Steps
To resolve this vulnerability, it is crucial to update your Part-DB/Part-DB installation to version .5.11 or newer, which contains a fix for this issue. You can download the latest version of Part-DB/Part-DB from the following link:
- Part-DB/Part-DB GitHub Repository
Alternatively, you can modify the source code of your existing installation and sanitize the user-supplied input for the 'density' parameter before using it in the shell_exec() function, as follows:
$zpl = "^XA^CF,60,60^FO10,10^GB700,100,1,3,45,B^FS^BY1,3.^JMA^POI^SC.ascii^MD" . esc(escapeshellarg($_GET['density'])) . "^CX.config^LR5^LH,64^PJ30.5,24^FPe^FX";
Using the escapeshellarg() function will ensure that user input is safely passed to the shell_exec() function and prevents potential OS command injection attacks.
Conclusion
This post highlighted the details of the CVE-2022-0848 vulnerability in the Part-DB/Part-DB GitHub repository, including the affected versions, the code snippet responsible for the vulnerability, remediation steps, and exploit details. By updating to the latest version of the software or patching the vulnerable code, you can protect your system from this vulnerability, leading to a safer and more secure environment for your Part-DB/Part-DB installation.
Timeline
Published on: 03/04/2022 09:15:00 UTC
Last modified on: 04/08/2022 13:59:00 UTC