๐ Hyperledger: POOL_UPGRADE request handler may allow an unauthenticated attacker to remotely execute code on every node in the network.
๐ก Newskategorie: Sicherheitslรผcken
๐ Quelle: vulners.com
This issue is related to the https://github.com/hyperledger/indy-node. The issue was found in the indy-node code that handles the write request of type *POOL_UPGRADE (in file* indy-node/indy_node/server/request_handlers/config_req_handlers/pool_upgrade_handler.py).** The additional_dynamic_validation function handles an undocumented field called package that can contain the name of the package to be upgraded. I case that this field is not empty, it is passed as is to the following functions self.upgrader.check_upgrade_possible -> NodeControlUtil.curr_pkg_info -> cls._get_curr_info. python def _get_curr_info(cls, package): cmd = compose_cmd(['dpkg', '-s', package]) return cls.run_shell_command(cmd) As seen in the code snippet above, the user supplied name is then concatenated to the string dpkg -s and is run as a system command without any sanitization. This can lead to an attacker supplying a package name, followed by a semicolon and another system command (e.g. package ; whoami), resulting in a remote code execution. This of course can be any command, and in the PoC code attached Iโm running a reverse shell, effectively taking control of the node, and possibly the entire network and the identities in it (assuming I run this exploit on enough nodes). The documentation specifies that the POOL_UPGRADE can be run by a Trustee only, however, we can run this exploit being a client without any roles in the network. This is made possible by the fact that the... ...