OneUptime Remote Command Execution Vulnerability in Synthetic Monitor Playwright Runtime

A remote command execution vulnerability has been identified in OneUptime versions prior to 10.0.35. This issue allows low-privileged authenticated users (ProjectMembers) to execute arbitrary commands on the Probe container or host. The vulnerability arises from the Synthetic Monitor's Playwright script execution, where the sandbox environment fails to adequately block certain properties and methods. Specifically, the '_browserType' and 'launchServer' properties are not restricted, enabling attackers to traverse the Playwright page context and spawn arbitrary processes. The vulnerability takes advantage of the incomplete denylist of blocked properties, allowing for unauthorized command execution on the host.

Impact

Exploitation of this vulnerability allows any project member with the ability to create monitors to execute arbitrary commands on the Probe host, leading to unauthorized remote code execution.

Reproduction

To reproduce this vulnerability, log in as a project member with monitor creation rights. Create a Synthetic Monitor and paste a Playwright script that launches a server process using the '_browserType' property to execute a command, such as 'id', on the host. Select a browser type and screen type, set the retry count to 0, and test the monitor by selecting any probe. After clicking on 'Details', the executed command will be processed on the Probe host.

Remediation

Users can update to OneUptime version 10.0.35 or later, where this vulnerability has been patched.