TwistedWeb Command Injection Vulnerability Leading to Unauthenticated Remote Code Execution

A command injection vulnerability has been identified in TwistedWeb version 14.0.0. This issue arises from inadequate input sanitization in the file upload feature, allowing attackers to send specially crafted HTTP PUT requests to upload malicious files, such as reverse shell scripts. Once these files are uploaded, attackers can execute arbitrary commands on the affected system, potentially leading to remote code execution. The vulnerability could also allow privilege escalation, depending on the rights of the web server process. This attack can be carried out remotely, without physical access, posing a significant risk to the system's confidentiality and integrity.

Impact

Exploitation of this vulnerability allows for unauthenticated remote code execution on the affected system.

Reproduction

The vulnerability can be reproduced by sending an unvalidated HTTP PUT request to a writable, web-accessible directory on a server running TwistedWeb 14.0.0. This request can include a malicious file, such as a reverse shell script. After the file is uploaded, a standard HTTP GET request to the uploaded file will trigger its execution, resulting in a reverse shell connection back to the attacker's listener.

Remediation

Users are advised to update to a patched version of TwistedWeb. Additionally, web servers should be configured to disable HTTP PUT methods unless explicitly needed, prevent file uploads to web-accessible paths, and block the execution of script files such as .sh or .php.