CVE-2023-50260 ‒ Command Injection via Active Responses

Metrics: cve.org

Description

Wazuh is an “Open Source Security Platform” that provides agent-based security monitoring for Unix and Windows clients. This vulnerability affects the Active Response feature that can automatically trigger actions in response to alerts. The specific vulnerability is in the handling of IP address arguments. The problem results from the lack of proper validation of JSON messages. An attacker could exploit this vulnerability to run code in the context of root to escalate privileges or to pivot from the management server to client systems.

Vulnerability

By default, active responses are limited to a set of pre-defined executables. This is enforced by only allowing executables stored under /var/ossec/active-response/bin to be run as an active response.

However, the /var/ossec/active-response/bin/host_deny response can be exploited to bypass the restriction. This host_deny is used to add IP addresses to the /etc/hosts.deny file to block incoming connections on a service level by using TCP wrappers.

Due to the lack of proper validation of JSON messages, an attacker can inject arbitrary commands via the srcip.

int main (int argc, char **argv) {                       // src/active-response/host-deny.c
...
    // Get srcip
    const char *srcip = get_srcip_from_json(input_json);        // (1) `host-deny` takes a `srcip` from JSON message
...
    memset(hosts_deny_rule, '\0', COMMANDSIZE_4096);
    memset(hosts_deny_path, '\0', COMMANDSIZE_4096);
    if (!strcmp("FreeBSD", uname_buffer.sysname)) {
        snprintf(hosts_deny_rule, COMMANDSIZE_4096 -1, "ALL : %s : deny", srcip);
        strcpy(hosts_deny_path, FREEBSD_HOSTS_DENY_PATH);
    } else {
        snprintf(hosts_deny_rule, COMMANDSIZE_4096 -1, "ALL:%s", srcip);
        strcpy(hosts_deny_path, DEFAULT_HOSTS_DENY_PATH);
    }
...
        if (fprintf(host_deny_fp, "%s\n", hosts_deny_rule) <= 0) {        // (2) adds the line `ALL:[srcip]` to the `/etc/hosts.deny`
                                                                                  // The `srcip` is not checked before written to `/etc/hosts.deny`
                                                                                  // "ALL:ALL : spawn /usr/bin/whoami >> /tmp/PoC" is added to the `hosts.deny` file
            memset(log_msg, '\0', OS_MAXSTR);
            snprintf(log_msg, OS_MAXSTR -1, "Unable to write rule '%s' on '%s'", hosts_deny_rule, hosts_deny_path);
            write_debug_file(argv[0], log_msg);
        }
...

The active response can be triggered by writing events either to the local execd queue on the server or to the ar queue that forwards the events to agents. This way, it can be used for LPE on the server as root and RCE on the agent as root.

Additional Details

Timeline

Date	Action
01.11.2023	Vulnerability reported to ZDI
23.11.2023	Vulnerability accepted by ZDI
28.11.2023	Vulnerability reported to vendor
25.04.2024	Coordinated public release of advisory
01.07.2024	Advisory updated

Description¶

Vulnerability¶

Additional Details¶

Timeline¶

Description

Vulnerability

Additional Details

Timeline