nginx-ui Unauthenticated Remote Code Execution Vulnerability via Backup Restore Endpoint

A critical vulnerability has been identified in nginx-ui versions prior to 2.3.8. The issue arises from an unauthenticated backup restore endpoint that is accessible during the first 10 minutes after installation. This vulnerability allows remote attackers to upload a malicious backup file that overwrites the application's configuration file and SQLite database. By injecting a command into the restored configuration, attackers can execute arbitrary OS commands with the same privileges as the nginx-ui process, typically root in Docker environments.

Impact

Exploitation of this vulnerability leads to unauthorized access and execution of commands on the server, with potential full host access in Docker deployments where nginx-ui runs as root.

Reproduction

To reproduce this vulnerability, first confirm that the nginx-ui installation window is open by checking the installation status via the API. Once the window is confirmed, craft a backup file that includes a malicious configuration file (`app.ini`) and, optionally, a database file (`nginx-ui.db`) with a known admin user hash. Encrypt this backup using AES, package it into a ZIP file, and upload it to the vulnerable endpoint without authentication. After the upload, wait for the application to restart and then trigger the command execution through the API.

Remediation

Users are advised to update to nginx-ui version 2.3.8 or later, where this vulnerability has been patched.