Hello readers,
I am happy to share that my second 0-day disclosure has been designated a CVE, CVE-2022-31855 is an access control issue in Shiny RStudio v1.5.9.* allows attackers to getshell and in some cases escalate privileges.
The affected versions of this package are vulnerable to OS Command Injection. The Shiny R web console by default trusts the system function, given that an attacker can gain access to, or somehow manipulate the shell, they could trigger a stored command injection vulnerability and potentially gain further access to the system.
How it works ?
The Shiny R console is an R interpreter in the form of a web app, this application was created to facilitate the work for data analysts and R developers or just simple users who can use it.
<storytime>
For my case i came across this console on my friend’s university exam web page, i was just trying to help at first 👀… and then my hacker mindset took the control and i found myself trying to find a vulnerability on the web app..
</storytime>PS: The university accepts bug reports. Please never search for bugs without having the permission to do so!
So first of all i had to understand how the console works, I read some articles to understand how an embedded console works on a web page and also the source code of the one the university uses to try to understand a little bit in short how it works.
After understanding how an embedded console works on a website I started researching what kind of vulnerabilities I can find with it and the first thing I had in my mind was trying to run bash commands on the server.
So just by doing a single google search for how to invoke a system command i found this website and using the system() function BOOM i was able to run any bash command !
- Reported on 23/05/2022
- Disclosed on 05/07/2022
Bonus 1: Privilege Escalation
Just with the user shiny I had the possibility to do a lot of things on the server
(cat | touch | rm majority of files, read the answers, read sensitive data (students & teachers passwords) etc…)
On the file .sh there was the password of a user, I sshed into it and after a small recon session on the machine I could find that the user had all the perms “(ALL : ALL) ALL” so with just a “sudo su” i became root :)
Bonus 2: Self XSS
I noticed on the menu of the main web page that the commands written are rewritten in the form of history, so...
