xiaoyunjie openvpn-cms-flask Command Injection Vulnerability in User Creation Endpoint

A critical authenticated remote code execution vulnerability has been identified in xiaoyunjie openvpn-cms-flask versions through 1.2.7. The issue resides in the User Creation Endpoint, specifically within the create_user function of the file /app/api/v1/openvpn.py. The vulnerability arises from unsanitized user input in the username parameter, which is directly concatenated into a command that is executed on the server. This flaw allows privileged users to execute arbitrary commands, potentially leading to a full system compromise.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary commands on the server, with the potential for full system compromise.

Reproduction

To reproduce this vulnerability, an authenticated user can send a POST request to the OpenVPN user creation endpoint with a malicious payload in the username parameter. The payload can include command injection syntax, such as a semicolon followed by a command (e.g., 'touch /tmp/pwn'). This exploits the vulnerability by injecting a command that is executed on the server.

Remediation

Users are advised to upgrade to version 1.2.8, which addresses this vulnerability. The updated version is available on the project's GitHub releases page.