My Second CVE (CVE-2022-31855)

Hello readers,

I am happy to share that my second 0-day disclosure has been designated a CVE, CVE-2022-31855 is an access control issue in Shiny RStudio v1.5.9.* allows attackers to getshell and in some cases escalate privileges.

The affected versions of this package are vulnerable to OS Command Injection. The Shiny R web console by default trusts the system function, given that an attacker can gain access to, or somehow manipulate the shell, they could trigger a stored command injection vulnerability and potentially gain further access to the system.

How it works ?

The Shiny R console is an R interpreter in the form of a web app, this application was created to facilitate the work for data analysts and R developers or just simple users who can use it.

<storytime>
For my case i came across this console on my friend’s university exam web page, i was just trying to help at first 👀… and then my hacker mindset took the control and i found myself trying to find a vulnerability on the web app..
</storytime>

PS: The university accepts bug reports. Please never search for bugs without having the permission to do so!

So first of all i had to understand how the console works, I read some articles to understand how an embedded console works on a web page and also the source code of the one the university uses to try to understand a little bit in short how it works.

After understanding how an embedded console works on a website I started researching what kind of vulnerabilities I can find with it and the first thing I had in my mind was trying to run bash commands on the server.
So just by doing a single google search for how to invoke a system command i found this website and using the system() function BOOM i was able to run any bash command !

  • Reported on 23/05/2022
  • Disclosed on 05/07/2022

Bonus 1: Privilege Escalation

Just with the user shiny I had the possibility to do a lot of things on the server
(cat | touch | rm majority of files, read the answers, read sensitive data (students & teachers passwords) etc…)

On the file .sh there was the password of a user, I sshed into it and after a small recon session on the machine I could find that the user had all the perms “(ALL : ALL) ALL” so with just a “sudo su” i became root :)

Bonus 2: Self XSS

I noticed on the menu of the main web page that the commands written are rewritten in the form of history, so...

payload: “><button onclick=”alert(document.domain)”</button>

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
y0ung_dst

y0ung_dst

CTFer & Bug Hunter | Twitter: @Y0ung_MA