CVE-2022-44019: Remote Command Execution Vulnerability in Total.js 4

Recently, a critical vulnerability has been discovered in Total.js 4, a widely-adopted Node.js web framework. Tracked as CVE-2022-44019, this vulnerability allows remote command execution through shell metacharacters in the host parameter. In this post, we will delve deeper into the issue, provide code snippets, and demonstrate how the exploit works. Also, we will share links to original references for those intrigued to learn more.

Background

In Total.js 4, prior to commit e5ace7, the endpoint /api/common/ping is vulnerable to remote command execution. This is because it does not sanitize the input received in the 'host' parameter. An attacker can inject shell metacharacters in the host parameter, leading the system to execute arbitrary commands.

Affected Versions

Total.js 4 versions before e5ace7

Details

The vulnerability exists in the 'ping' function where the host parameter, received from the /api/common/ping endpoint, is combined with the 'ping' command executed in the shell. The following code snippet demonstrates the problem:

function ping(host, callback) {
  var builder = [];
  var cmd = ('ping -n ' + host).trim();

  var child = ChildProcess.spawn('cmd', ['/s', '/c', cmd]);

  ...

  child.on('close', function() {
      ...
  });
}

As the 'host' parameter is concatenated directly with the 'ping' command without any sanitization or input validation, an attacker can easily inject shell metacharacters in 'host', leading to remote command execution.

Exploit Details

To exploit the vulnerability, an attacker can send an HTTP GET request to the /api/common/ping endpoint with malicious input in the 'host' parameter. For example:

GET /api/common/ping?host=127...1%26calc.exe

This request opens the calculator application (calc.exe) on the server. Note that the payload must be URL-encoded to bypass any HTTP request restrictions.

Mitigations

To mitigate the issue, developers should update to the latest version of Total.js 4. Also, input validation and sanitization should be implemented to prevent attackers from injecting malicious input in the application.

Original References

1. GitHub Commit: e5ace7 - Fixed RCE in /api/common/ping
2. CVE: CVE-2022-44019

Conclusion

CVE-2022-44019 is a critical vulnerability in Total.js, which can lead to remote command execution through the /api/common/ping endpoint. Developers should be vigilant in implementing proper input validation and sanitization to prevent such risks. Update Total.js to the latest version to patch the vulnerability and ensure the security of your application.

Timeline

Published on: 10/30/2022 00:15:00 UTC
Last modified on: 08/08/2023 14:22:00 UTC