Security Fix for Remote Code Execution - huntr.dev #117
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
https://huntr.dev/app/users/d3m0n-r00t has fixed the Remote Code Execution vulnerability 🔨. d3m0n-r00t has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?
Get involved at https://huntr.dev/
Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#1
GitHub Issue URL | #116
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/python/fsociety/1/README.md
User Comments:
📊 Metadata *
Remote Code Execution vulnerability
Bounty URL: https://www.huntr.dev/app/bounties/open/1-python-fsociety
⚙️ Description *
Fixed code execution vulnerability by sanitizing the input. Previously the input was raw_input(). Fixed this by splitting the input at spaces (' ').
💻 Technical Description *
Fsociety had many instances where the input was executed as it is by the os.system code. The user input was the target variable which must be an IP address or a domain. But the user was able to execute arbitrary code by adding command line operators such as && or || etc. I splitted this input and made it a way that proper nmap script runs only when an Ip or domain is given as input. It ignores every other inputs.
🐛 Proof of Concept (PoC) *
Vulnerable code:
Steps to reproduce the bug:
🔥 Proof of Fix (PoF) *
Fix:
👍 User Acceptance Testing (UAT)
Just splited the input so that only the first parameter of the input is taken. Since IP or domain is considered as a single string it is passed through and the rest is splited out. If any thing other than an Ip or domain is supplied it shows an error showing 'unknown host'. So it doesn't break the code.