Roxy-WI Remote Code Execution Vulnerability via OS Command Injection

A remote code execution vulnerability has been identified in Roxy-WI versions prior to 8.2.6.4. The issue arises in the '/config/<service>/find-in-config' endpoint, where the 'words' parameter is not properly sanitized before being included in a shell command. This command is executed on a remote server via SSH. An authenticated attacker can exploit this by injecting shell metacharacters to escape the intended context of the 'grep' command and execute arbitrary operating system commands with sudo privileges, leading to full remote code execution.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary commands with root privileges on the target server, resulting in full remote code execution.

Reproduction

To reproduce this vulnerability, send an authenticated POST request to the '/config/<service>/find-in-config' endpoint. Include a 'words' parameter with a payload that injects shell metacharacters, such as a semicolon followed by additional commands. The server will execute the injected commands with sudo privileges on the specified server.

Remediation

Users can update to Roxy-WI version 8.2.6.4 or later, where this vulnerability has been patched.