Re: Advisory X41-2017-010: Command Execution in Shadowsocks-libev

[Salvatore Bonaccorso <carnil () debian org>]

Hi

On Fri, Oct 13, 2017 at 06:44:21PM +0200, X41 D-Sec GmbH Advisories wrote:
> X41 D-Sec GmbH Security Advisory: X41-2017-010
>
> Command Execution in Shadowsocks-libev
> ======================================
>
> Overview
> --------
> Severity Rating: High
> Confirmed Affected Versions: 3.1.0
> Confirmed Patched Versions: N/A
> Vendor: Shadowsocks
> Vendor URL: https://github.com/shadowsocks/shadowsocks-libev
> Vector: Local
> Credit: X41 D-Sec GmbH, Niklas Abel
> Status: Public
> CVE: not yet assigned
> Advisory-URL:
> https://www.x41-dsec.de/lab/advisories/x41-2017-010-shadowsocks-libev/
>
>
> Summary and Impact
> ------------------
> Shadowsocks-libev offers local command execution per configuration file
> or/and additionally, code execution per UDP request on 127.0.0.1.
>
> The configuration file on the file system or the JSON configuration
> received via UDP request is parsed and the arguments are passed to the
> "add_server" function.
> The function calls "construct_command_line(manager, server);" which
> returns a string from the parsed configuration.
> The string gets executed at line 486 "if (system(cmd) == -1) {", so if a
> configuration parameter contains "||evil command&&" within the "method"
> parameter, the evil command will get executed.
>
> The ss-manager uses UDP port 8830 to get control commands on 127.0.0.1.
> By default no authentication is required, although a password can be set
> with the '-k' parameter.

CVE-2017-15924 has been assigned for this issue.

Regards,
Salvatore