Glances Command Injection Vulnerability in Dynamic Configuration Parsing

A command injection vulnerability has been identified in Glances, a cross-platform system monitoring tool, prior to version 4.5.3. The issue arises from the application's dynamic configuration feature, which allows substrings enclosed in backticks to be executed as system commands during the parsing of configuration files. This behavior, found in the 'Config.get_value()' method, is implemented without any validation or restrictions on the commands being executed. As a result, if an attacker can modify or influence the configuration files, arbitrary commands could be executed automatically with the privileges of the Glances process, potentially leading to privilege escalation, especially in environments where Glances is run as a system service with elevated rights.

Impact

Exploitation of this vulnerability allows for arbitrary command execution with the privileges of the Glances process. In cases where Glances is executed as a privileged service, this could result in unauthorized actions being performed with elevated rights.

Reproduction

To reproduce this vulnerability, create a malicious configuration file that includes a command enclosed in backticks. Launch Glances with this custom configuration file. When Glances reads the configuration, it will execute the command and replace the original configuration value with the command's output. This execution occurs automatically, without any user interaction.

Remediation

Users can update to Glances version 4.5.3 or later, where this vulnerability has been patched.