Flowsint Command Injection Vulnerability Leading to Remote Code Execution

A command injection vulnerability allowing for arbitrary OS command execution as root has been identified in Flowsint, an open-source OSINT graph exploration tool. This issue arises in the 'org_to_asn' transform within the 'flowsint-transforms' package, prior to version 1.2.3. The vulnerability is exploited by injecting shell metacharacters into a POST request, which are then executed via a subprocess with shell interpretation enabled. Additionally, the exploitation allows for a Docker container escape, granting root access to the host machine.

Impact

Exploitation of this vulnerability results in unauthorized root access to the host machine, leading to a complete system compromise. This access allows an attacker to manipulate sensitive data, disrupt services, introduce malware, and perform any other malicious activities on the system.

Reproduction

To reproduce this vulnerability, create a sketch in Flowsint and use the 'org_to_asn' transform on an organization node. Inject payloads using shell metacharacters into the 'name' parameter of the transform, which is executed as a command on the host machine. After gaining a reverse shell, exploit the Docker escape by accessing the host filesystem and executing commands with root privileges.

Remediation

Users are advised to update Flowsint to version 1.2.3 or later, where this vulnerability has been patched.