Glances Command Injection Vulnerability via User-Controlled Mustache Template Variables

A command injection vulnerability has been identified in Glances, an open-source cross-platform system monitoring tool. This issue arises in the action command templates, which can include Mustache variables populated with real-time data. Prior to version 4.5.2, the 'secure_popen()' function, responsible for executing these commands, improperly handled user-controlled data such as process names and container names. When such data included metacharacters like pipes or redirects, it could be exploited to inject arbitrary commands. This vulnerability affects Glances versions through 4.5.2-dev01.

Impact

Exploitation of this vulnerability allows for arbitrary command execution as the user running the Glances process, which is often root. This could lead to privilege escalation if a low-privileged user manages to inject commands that are executed with elevated rights. Additionally, the vulnerability could be used to write arbitrary data to files, taking advantage of the command injection capabilities.

Reproduction

To reproduce this vulnerability, first configure an action in the Glances 'processlist' or 'containers' section that includes user-controlled Mustache variables. Then, create a process or Docker container with a name that includes injection metacharacters, such as a pipe or double ampersand. When the action is triggered, the injected command will be executed, demonstrating the command injection flaw.

Remediation

Users can upgrade to Glances version 4.5.2, which addresses this vulnerability by sanitizing Mustache-rendered values before they are processed by 'secure_popen()'.