Roxy-WI through pre-auth RCE

09-08-2021 - rekter0

hap-wi roxy-wi is a web interface(user-friendly web GUI, alerting, monitoring and secure) for managing HAProxy, Nginx and Keepalived servers.
Versions affected v4 and v5 through v5.2.2.0
CVE identifier CVE-2021-38167 CVE-2021-38168 CVE-2021-38169

# Summary

While looking for a solution to manage multiple reverse proxies, i found roxy-wi in DO marketplace, since it was open source, i'v poked around and found multiple SQL injections and command injections leading to RCE

# Vulnerability analysis

Inside /app/ some SQL statements have user controlled input supplied directly into SQL queries

## Unauthenticated SQLi

when an attacker request any of the pages inside /app folder, authentication is checked via funct.check_login()

def check_login():
    import sql
    import http.cookies
>    cookie = http.cookies.SimpleCookie(os.environ.get("HTTP_COOKIE"))
>    user_uuid = cookie.get('uuid')
    ref = os.environ.get("REQUEST_URI")


    if user_uuid is not None:
>        sql.update_last_act_user(user_uuid.value)
        if sql.get_user_name_by_uuid(user_uuid.value) is None:
            print('<meta http-equiv="refresh" content="0;">' % ref)
            return False
        print('<meta http-equiv="refresh" content="0;">' % ref)
        return False

check_login() takes uuid cookie value and try to update expiration timestamp for the given uuid with sql.update_last_act_user()

def update_last_act_user(uuid):
    cursor = conn.cursor()
    session_ttl = get_setting('session_ttl')

    if mysql_enable == '1':
>        sql = """ update uuid set exp = now()+ INTERVAL %s day where uuid = '%s' """ % (session_ttl, uuid)
>        sql = """ update uuid set exp = datetime('now', '+%s days') where uuid = '%s' """ % (session_ttl, uuid)
    except Exception as e:

uuid cookie value is directly supplied into the query, so an unauthenticated attacker can perform a blind SQL injection to dump the database or extract a valid uuid to bypass authentication

## Authenticated SQLi

There was many, one example of authenticated SQLi via reaching select_servers function

def select_servers(**kwargs):
    cursor = conn.cursor()
    sql = """select * from servers where enable = '1' ORDER BY groups """

    if kwargs.get("server") is not None:
>        sql = """select * from servers where ip='%s' """ % kwargs.get("server")
    if kwargs.get("full") is not None:
        sql = """select * from servers ORDER BY hostname """
    if kwargs.get("get_master_servers") is not None:
        sql = """select id,hostname from servers where master = 0 and type_ip = 0 and enable = 1 ORDER BY groups """
    if kwargs.get("get_master_servers") is not None and kwargs.get('uuid') is not None:
        sql = """ select, servers.hostname from servers 
            left join user as user on servers.groups = user.groups 
            left join uuid as uuid on = uuid.user_id 
            where uuid.uuid = '%s' and servers.master = 0 and servers.type_ip = 0 and servers.enable = 1 ORDER BY servers.groups 
            """ % kwargs.get('uuid')
    if kwargs.get("id"):
        sql = """select * from servers where id='%s' """ % kwargs.get("id")
    if kwargs.get("hostname"):
        sql = """select * from servers where hostname='%s' """ % kwargs.get("hostname")
    if kwargs.get("id_hostname"):
        sql = """select * from servers where hostname='%s' or id = '%s' or ip = '%s'""" % (kwargs.get("id_hostname"), kwargs.get("id_hostname"), kwargs.get("id_hostname"))
    if kwargs.get("server") and kwargs.get("keep_alive"):
        sql = """select active from servers where ip='%s' """ % kwargs.get("server")
    except Exception as e:
        return cursor.fetchall()

there's multiple injection points from user supplied input here
one way to reach this is from

>serv = form.getvalue('serv')
 service = form.getvalue('service')
 if funct.check_is_server_in_group(serv):
>            servers = sql.select_servers(server=serv)

this could be exploited by least privilege account such as guest

## Command injection:

Most cmds in different functions inside /app/ and /api/ are prone to command injection or second order from settings stored in the database which are user supplied.
one of many examples of a second order command injection here:

def get_all_stick_table():
    import sql
    hap_sock_p = sql.get_setting('haproxy_sock_port')
>    cmd = 'echo "show table"|nc %s %s |awk \'{print $3}\' | tr -d \'\n\' | tr -d \'[:space:]\'' % (serv, hap_sock_p)
>    output, stderr = subprocess_execute(cmd)
    return output[0]

haproxy_sock_port is stored in settings table, and an authenticated user can change it from https://[%HOST%]/app/ then calls page with param table_select=All to execute an arbitrary system command

# Impact

Combining SQL injection and command injection allows unauthenticated attacker to achieve pre-auth RCE and compromise the underlying systems.

# Timeline

07-08-2021 - Reported
07-08-2021 - Vendor confirmed
09-08-2021 - SQLi fixed

rce - python - roxy-wi - sql injection - command injection - cgi


rekter0 © 2022