Roxy-WI OS Command Injection Vulnerability Allowing Remote Code Execution

A critical OS command injection vulnerability has been identified in Roxy-WI versions through 8.1.3. The issue resides in the 'action_service' function within 'app/modules/roxywi/roxy.py', where user-supplied service parameters are manipulated and executed as system commands. This vulnerability can be exploited remotely, leading to unauthorized code execution on the server.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary commands on the server, potentially leading to full system compromise.

Reproduction

To reproduce this vulnerability, an authenticated user can send a request to the '/tools/update/' endpoint with a crafted service parameter that includes malicious command payloads. The 'action_service' function will execute the payloads as system commands without any sanitization, allowing for command injection. This exploitation can be demonstrated by using a payload that, for example, includes a command to pause execution for a period of time, such as 'sleep 10'.

Remediation

Users are advised to upgrade to Roxy-WI version 8.1.4, which addresses the vulnerability by implementing proper input validation. The updated version can be downloaded from the Roxy-WI GitHub repository.