Security Fix for Remote Code Execution - huntr.dev

[huntr-helper]

https://huntr.dev/app/users/d3m0n-r00t has fixed the Remote Code Execution vulnerability 🔨. d3m0n-r00t has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#1
GitHub Issue URL | #116
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/python/fsociety/1/README.md

User Comments:

📊 Metadata *

Remote Code Execution vulnerability

Bounty URL: https://www.huntr.dev/app/bounties/open/1-python-fsociety

⚙️ Description *

Fixed code execution vulnerability by sanitizing the input. Previously the input was raw_input(). Fixed this by splitting the input at spaces (' ').

💻 Technical Description *

Fsociety had many instances where the input was executed as it is by the os.system code. The user input was the target variable which must be an IP address or a domain. But the user was able to execute arbitrary code by adding command line operators such as && or || etc. I splitted this input and made it a way that proper nmap script runs only when an Ip or domain is given as input. It ignores every other inputs.

🐛 Proof of Concept (PoC) *

Vulnerable code:

 def run(self):
        clearScr()
        print(self.nmapLogo)
        target = raw_input(self.targetPrompt)
        self.menu(target)

logPath = "logs/nmap-" + strftime("%Y-%m-%d_%H:%M:%S", gmtime())
        try:
            if response == "1":
                os.system("nmap -sV -oN %s %s" % (logPath, target))

Steps to reproduce the bug:

1. Run python fsociety.py
2. Select any vulnerable part. (For example 1. Information gathering -> 1. Nmap
3. Supply any Ip or domain and with the command line operator supply the payload

127.0.0.1 && echo 'Hacked' > hacked.txt

4. We can see hacked.txt file created in the directory.
   
   

🔥 Proof of Fix (PoF) *

Fix:

target = raw_input(self.targetPrompt).split(' ')[0]

👍 User Acceptance Testing (UAT)

Just splited the input so that only the first parameter of the input is taken. Since IP or domain is considered as a single string it is passed through and the rest is splited out. If any thing other than an Ip or domain is supplied it shows an error showing 'unknown host'. So it doesn't break the code.