Openlabs Docker Wkhtmltopdf Aas OS Command Injection Vulnerability Allowing Remote Code Execution

A command injection vulnerability has been identified in the 'app.py' component of Openlabs Docker Wkhtmltopdf Aas, affecting all versions prior to the latest commit '9f50579'. This vulnerability allows remote attackers to execute arbitrary commands on the server with root privileges. The issue arises from the application accepting user-supplied options via JSON POST requests, which are then used to construct a shell command for 'wkhtmltopdf' without proper validation or sanitization. Exploitation can be achieved by injecting commands through option values or keys, leading to unauthorized command execution.

Impact

Exploitation of this vulnerability results in full remote code execution as root, with no authentication required. It also allows for data exfiltration from the compromised system, including files and environment variables, which may contain sensitive information such as API keys and database credentials. The vulnerability could be exploited to gain reverse shell access, facilitating further exploitation or lateral movement within Docker networks. Additionally, if the container is running with elevated privileges, there is a potential risk of escaping the container to the host system.

Reproduction

The vulnerability can be reproduced by sending a crafted POST request to the application with base64-encoded HTML content and malicious 'wkhtmltopdf' options that exploit the command injection flaw. This can be done using command-line tools like 'curl' or through a Python script that automates the exploitation process. The injected commands are executed on the server as root, demonstrating the severity of the vulnerability.

Remediation

To address this vulnerability, it is recommended to replace the current command execution method with a safer alternative that does not involve shell evaluation. This can be done by using 'subprocess.run()' with a list of arguments, allowing for better control and validation of the input. Additionally, implementing an allowlist of permitted 'wkhtmltopdf' options and validating their values before processing can help mitigate the risk of command injection.