Privilege escalation using cputime parameter and runguard

[mrlnstk]

Hello,
i have found a bug that can lead to a privilege escalation.
Most of the input which the user can control is escaped using escapeshellarg but using the cputime parameter which is not escaped you can create a command injection which leads to a privilege escalation.
Here you can see that cputime is not escaped and is directly set into the sandox command which is executed by the user www-data.
Once you have access to the webroot you can patch runguard to accept root as a valid user and execute commands as root.
I have also a proof-of-concept script but I won't upload it here for security reasons.
If there are any further questions, I'll be happy to help.

Sincerely,
Marlon

[trampgeek]

Hi Marlon.

Many thanks for finding and reporting the vulnerability. Thanks for the fix, too, though I've chosen to run with a slight variant on your code. I've modified getParam so that if a supplied parameter is non-numeric and the default parameter is numeric, the default is used. Change pushed to github. Please confirm that my change addresses that issue (and any similar ones).

Thanks again

Richard

[mrlnstk]

Hi Richard,
the fix you made works. Command Injections aren't possible anymore using the cputime parameter.
Thanks for the quick response!

Sincerely,
Marlon