Aviatrix Controller Command Injection Vulnerability Allowing Remote Code Execution

A command injection vulnerability has been identified in Aviatrix Controller versions prior to 7.1.4208, 7.2.5090, and 8.0.0. The issue arises from the application's failure to properly sanitize user input before passing it to command line utilities, enabling authenticated users to inject commands via special characters in filenames. This vulnerability was exploited to execute arbitrary commands on the server with root privileges, ultimately leading to remote code execution.

Impact

Exploitation of this vulnerability allows for authenticated command injection, with the injected commands executed as root. This could be used to perform any action that a root user can, including modifying system files or executing malicious scripts that could be harmful to the system or its users.

Reproduction

The vulnerability can be reproduced by uploading a file through a feature that accepts file uploads, such as the Proxy Admin utility's CA Certificate installation feature. The uploaded file's name can be crafted to include tab characters, which will be interpreted as command line argument separators. Once the file is uploaded, the injection can be completed by renaming the file to 'crontab' and smuggling additional arguments to the 'cp' command via the file extension. After moving the 'crontab' file to the '/etc' directory, the injected commands will be executed, with the 'curl' command being a typical example of such an execution.

Remediation

Users can update to Aviatrix Controller versions 8.0.0, 7.2.5090, or 7.1.4208 to address this vulnerability.