CONTRAST: OS Command Injection from Request Body on "/testConnection" page #8
Description
Vulnerability ID: W1T6-XIMA-ALCY-KAKF
Application Name: CargoCats-contrast-cargo-cats-webhookservice
Vulnerability Link: https://eval.contrastsecurity.com/Contrast/static/ng/index.html#/545a3bce-97c5-4732-af38-1ac459087b0a/applications/ec2c0746-ea34-44fb-ab5b-fc1e381d4c2e/vulns/W1T6-XIMA-ALCY-KAKF
What Happened?
We tracked the following data from Request Body:
POST /testConnection
contrast-redacted-body
...which was accessed within the following code:
subprocess.py, line 505, in run()
...and ended up in this command statement:
ping -c 1 google.com; cat /etc/passwd
What's the risk?
The application takes data from the user and uses it to build a system command. A malicious user could provide data that escaped the existing command and issued new ones. It's also possible they cause the existing command to behave maliciously.
Recommendation
Any time untrusted input is used to build a system command, this is a high impact flaw. Most of the time, arbitrary command execution isn't possible, but passing arbitrary command arguments to the target function can lead to similar dangers. Here are a few best practices that may help reduce your risk:
- Refactor the command line call out. There are many who believe that calls like os.system or subprocess.Popen represent an inherently bad design. If possible, use existing Python APIs, modules, or external batch systems to accomplish the functionality without needing a dangerous, platform-dependent Python-to-OS bridge.
- Avoid starting your command with /bin/sh -c or cmd.exe /c. These allow any untrusted input in the command to be processed by the command shell instead of as parameters to a pure native subprocess.Popen. For the same reason, when using subprocess.Popen or related functions, do not set shell=True. If the shell (like bash or cmd.exe) is used, malicious input can redirect commands, chain new commands, and in general cause more damage than otherwise possible (https://www.owasp.org/index.php/Command_Injection).
Check out our AI-generated Intelligent Remediation Guidance! https://eval.contrastsecurity.com/Contrast/static/ng/index.html#/545a3bce-97c5-4732-af38-1ac459087b0a/vulns/W1T6-XIMA-ALCY-KAKF/overview/recommendation
First Event
Stack:
get_json(werkzeug.wrappers.request.py:608)
test_connection(app.py:268)
dispatch_request(flask.app.py:1469)
full_dispatch_request(flask.app.py:1484)
wsgi_app(flask.app.py:2190)
__call__(flask.app.py:2213)
handle_request(gunicorn.workers.sync.py:178)
handle(gunicorn.workers.sync.py:135)
accept(gunicorn.workers.sync.py:32)
run_for_one(gunicorn.workers.sync.py:70)
run(gunicorn.workers.sync.py:126)
init_process(gunicorn.workers.base.py:142)
spawn_worker(gunicorn.arbiter.py:609)
spawn_workers(gunicorn.arbiter.py:642)
manage_workers(gunicorn.arbiter.py:571)
run(gunicorn.arbiter.py:202)
run(gunicorn.app.base.py:72)
run(gunicorn.app.base.py:236)
run(gunicorn.app.wsgiapp.py:67)
<module>(usr.local.bin.gunicorn:8)
Last Event
Stack:
run(subprocess.py:505)
test_connection(app.py:284)
dispatch_request(flask.app.py:1469)
full_dispatch_request(flask.app.py:1484)
wsgi_app(flask.app.py:2190)
__call__(flask.app.py:2213)
handle_request(gunicorn.workers.sync.py:178)
handle(gunicorn.workers.sync.py:135)
accept(gunicorn.workers.sync.py:32)
run_for_one(gunicorn.workers.sync.py:70)
run(gunicorn.workers.sync.py:126)
init_process(gunicorn.workers.base.py:142)
spawn_worker(gunicorn.arbiter.py:609)
spawn_workers(gunicorn.arbiter.py:642)
manage_workers(gunicorn.arbiter.py:571)
run(gunicorn.arbiter.py:202)
run(gunicorn.app.base.py:72)
run(gunicorn.app.base.py:236)
run(gunicorn.app.wsgiapp.py:67)
<module>(usr.local.bin.gunicorn:8)
HTTP Request
POST http://webhookservice:5000/testConnection HTTP/1.1
Contrasttraceparent: 00-ce0b87a9bae00a8a2a4ebb981cce39f5-e99350cb9553ce4f-01
Content-Type: application/json
Host: webhookservice:5000
Content-Length: 37
Accept: application/json
User-Agent: Java/11.0.30
Connection: keep-alive
References
https://owasp.org/www-community/attacks/Command_Injection
Session ID: a1131621e72e62fb042280f63092bc63
artifactHash: 2783637633