HummerRisk Command Injection Vulnerability in Cloud Task Scheduler

A command injection vulnerability has been identified in HummerRisk versions through 1.5.0, specifically within the cloud task scheduler component. The issue arises in the 'ResourceCreateService.java' file, where the 'regionId' parameter is manipulated, leading to the injection of arbitrary operating system commands. This vulnerability can be exploited remotely by authenticated users with permission to create cloud scanning tasks. The injected commands are executed during task cleanup operations, allowing for remote code execution on the HummerRisk server.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, with the injected commands executed under the privileges of the 'hummer-risk' user. This could lead to a complete compromise of the server, with potential escalation to root access if sudo privileges are configured. Additionally, the vulnerability could be exploited to exfiltrate sensitive data, delete arbitrary files, disrupt service operations, and violate compliance regulations.

Reproduction

To reproduce this vulnerability, create a cloud task using the 'POST /task/manual/create' API endpoint. Include a malicious 'regionId' parameter that contains shell metacharacters, such as command separators or command keywords. Once the task is executed, the injected commands will be executed during the task's cleanup phase, resulting in remote code execution on the server.

Remediation

It is recommended to implement strict input validation for the 'regionId' parameter, ensuring it adheres to expected formats and does not contain prohibited characters. Additionally, using safe command execution methods that do not interpret shell metacharacters can help mitigate this vulnerability. Whitelisting valid region IDs and protecting against path traversal attacks are also advisable.