Pnetlab Command Injection Vulnerability in QEMU Options Parameter

A command injection vulnerability has been identified in Pnetlab version 5.3.11. The issue arises in the QEMU node management, where user-supplied data in the 'qemu_options' parameter is not properly sanitized. This allows authenticated users with lab editing rights to inject arbitrary commands that are executed with root privileges on the host machine when a QEMU node is started. The vulnerability exists because the backend fails to effectively filter the 'qemu_options' input, which is directly appended to a shell command and executed via the 'exec()' function'. Notably, the 'secureCmd()' function, intended to sanitize command inputs, does not prevent command substitution, leaving a critical exploitation vector open.

Impact

Exploitation of this vulnerability provides authenticated users with lab edit permissions the ability to execute arbitrary commands as root on the host system.

Reproduction

To reproduce this vulnerability, an authenticated user with lab edit rights can create a new lab and add a QEMU node. After injecting a payload into the 'qemu_options' parameter that includes a command substitution (such as a reverse shell command), the node can be started or rebooted from the console. This triggers the execution of the injected command, resulting in a root shell on the host.