Vulnerability Focus: Command Injection

5min read

Image of thief climbing out of laptop shining flashlight on ruby, java icons with a syringe, titled Vulnerability Focus: Command Injection

At attention, app sec community! It has been an exciting past couple of weeks, and we have got some juicy vulnerabilities to dish on. From Apache commons to the extensively-used Nokogiri library,  we will shed light on two compelling command injection vulnerabilities that rank highly on the common vulnerability scoring system (CVSS). Read along and spread the word to help combat against open source vulnerabilities.

  • CVE-2019-10086 The SuppressPropertiesBeanIntrospector class in versions before 1.9.4 of BeanUtils in Apache commons was not enabled by default

  • CVE-2019-5477 An inherent flaw in the Ruby Rexical gem v.1.0.6 or earlier, due to improper neutralization of special elements, resulted in a command injection vulnerability in the Nokogiri gem

CVE-2019-10086

Vulnerability Score: High — 7.3 (CVSS v3.0)

Platform: Java

Component: commons-beanutils

Affected versions: 1.9.3 and earlier

Take heed, all you Java programmers: a vulnerability has been located within Apache commons,  a provider of reusable open source Java component. There lies an arbitrary code vulnerability in the BeanUtils component, a set of utilities used for manipulation of JavaBeans code.

Within the BeanUtils component, there are several class types, or PropertyUtils beans, that  support mechanisms for dynamically defining and accessing bean properties (i.e. Bean Introspection) – these sets of utilities that assist in getting and setting property values on Java classes utilise the BeanIntrospector interface for components that can perform introspection on bean classes. 

Class TypeDescription
DefaultBeanIntrospectorThe default BeanIntrospector implementation

FluentPropertyBeanIntrospector
An implementation which detects write methods for properties used in fluent API scenario
SuppressPropertiesBeanIntrospector**A specialized BeanIntrospector implementation which suppresses some properties.

Example of class types and their functions
** highlights affected component in this CVE incident

In the context of this security flaw, the vulnerability originates from the SuppressPropertiesBeanIntrospector class type. This BeanIntrospector class type  is a standard implementation within a BeanUtils component which suppresses the ability for malicious attackers  to circumvent class properties of Java objects to gain access to the classloader. However, this safeguard mechanism against third-party exploitations of Java objects, was not enabled by default for version 1.9.2 – 1.9.3 of BeanUtils. 

This thereby allows attackers to manipulate classloaders and remotely execute arbitrary commands via class parameter, which would be detrimental to application security. Cyber attackers could potentially take advantage of this command injection loophole to inject malignant code into an application system through cross-site scripting (XSS), cross-site request forgery (XSRF), or drive-by attacks – this would then result in security breaches and a whole slew of inconvenience for organizations using  compromised versions of this BeanUtils component.

Affected users would be relieved to know that the fix for this vulnerability, version 1.9.4 of BeanUtils, has since been published. The security patch for apache-commons-beanutils has fixed the security flaw by adding a special BeanIntrospector class; this class type comprehensively suppresses the ability for any third party to access the classloader through the outmanoeuvring of class properties available on all Java objects – we can declare with utmost confidence that the updated BeanUtils bean prohibits all class level property access by default.

At the risk of sounding like a broken record, application systems that are using versions before 1.9.4 of the BeanUtils component ought to migrate to the latest version at the soonest. Don’t say you haven’t been warned!

CVE-2019-5477

Vulnerability Score: Critical — 9.8 (CVSS v3.0)

Platform: Ruby

Components: Rexical, Nokogiri

Affected versions: Rexical: 1.0.6 and earlier, Nokogiri: 1.10.3 and earlier

Mayday. I repeat, Mayday. Ruby users – watch out! A critical open-source security flaw has been located in Nokogiri, an open-source software library used to parse HTML and XML in Ruby. To provide some contextual information about its popularity, Nokogiri is indisputably one of the most downloaded Ruby gems – it has been downloaded over 240 million times from the rubygems.org. This translates into a potentially vast network of compromised users – it would be prudent for affected parties to understand the type of security flaw they are dealing with.

In versions Nokogiri 1.10.3 or earlier, a command injection vulnerability allows attackers to alter dynamically generated content on a web page by inserting HTML code into input mechanisms that lack effective validation constraints. These commands are then executed in a subprocess via the kernel#open method, which renders an application vulnerable to remote code execution due to improper neutralization of special elements used in a command injection.

This is due to the core functionality of the kernel#open method. When instructed with a file path (defaulting with ‘r’) , it treats the script as the name of a file to open using the specified mode; but when the file path starts with a pipe character ‘I’, it interprets it as a shell command and returns an IO class linked to the subprocess.  In the context of this Nokogiri security flaw, these subprocesses are only exposed if the (undocumented) kernel#open method “Nokogiri::CSS:: Tokenizer#load_file” is executed with unvalidated user input in its filename.

This particular vulnerability exposure appears in the codework generated by Rexical gem versions 1.0.6 or earlier. The Rexical gem facilitates the Nokogiri library in generating a lexical scanner code that is used to parse CSS queries. In any case, the app sec community would be reassured to know that  a patch which addresses this key vulnerability has been released as Rexical v1.0.7. And on an equally heartening note, Nokogiri has also performed an upgrade (i.e. Nokogiri v.1.10.4) to implement the latest patch for the Rexical gem in their library.

Now that you are all caught up on these CVEs, we hope this little piece of enlightenment would have made you more aware of the rampantness of open source vulnerabilities!

Knowing is half the battle. The other half is doing. Let Meterian help your dev team stay in the know and on top of the latest updates to secure your apps continuously.  Sign up here to download the Meterian client today.  You’ll get an instant analysis of your first project for free.  See the risks immediately and know which components to remove or upgrade to secure your app.

Vulnerability Focus: Command Injection