[Vulnerabilities] Possible authenticated RCE discovered by sayfer.io

[felixaime]

Hello people,

As it can arrive to anyone who has his nose too much in the code, during an audit, the guys from https://sayfer.io reported few days ago a possible authenticated RCE. As most of the command injection vulnerabilities, this can be exploited easily by:

• Getting the JSON Web Token (JWT) if the attackers know the user / password ;
• Injecting commands in the configuration from the API (notably, in the WIFI interfaces names) ;
• Waiting the user to create a new capture, tshark will be executed with the code as parameter, yes.

Facing to that, I'm gonna patch the vulnerability which is serious:

• Patching the install script to push the user to setup his own credentials ;
• Putting regexes on the WiFi interfaces names when editing the configuration ;
• Changing the way how subprocess calls are processed (which is the biggest fail 🤦‍♂️) ;

I would like to thanks personally sayfer.io researchers to have reported that serious issue.

If you have downloaded TinyCheck prior today, please

• Update to the latest commit/version: #cd /usr/share/tinycheck/ && bash update.sh;
• Update the login / password if you used the default ones ;

Don't hesitate to use this thread if you have any question related to this issue or see another issue.

Félix.