Faction Remote Code Execution Vulnerability via Unauthenticated Extension Upload

A remote code execution vulnerability has been identified in Faction, a PenTesting report generation and collaboration framework, prior to version 1.7.1. The issue arises from an extension execution path that allows untrusted extension code to execute arbitrary system commands on the server. This vulnerability is made possible by a missing authentication check on the '/portal/AppStoreDashboard' endpoint, enabling unauthenticated users to access the extension management UI and upload malicious extensions. Once uploaded, these extensions are executed with the same OS-level privileges as the Faction server process, potentially leading to full compromise of the host.

Impact

Exploitation of this vulnerability allows for remote code execution on the server hosting Faction, with the executed code running under the same privileges as the Faction server process. This could lead to a complete takeover of the server, especially if the application is running as root. Additionally, all assessment data, templates, credentials, and database contents could be accessed and exfiltrated. Attackers could also modify reports and templates, disrupt server processes, or encrypt storage.

Reproduction

To reproduce this vulnerability, upload a malicious extension through the '/portal/AppStoreDashboard' endpoint, which is accessible without authentication. The uploaded extension can then be executed by triggering the appropriate lifecycle hook, such as during report generation, which will run the extension's code on the server.

Remediation

Users are advised to update to Faction version 1.7.1 or later, where this vulnerability has been patched.