Termix Remote Code Execution Vulnerability via OS Command Injection in Docker Management Endpoints

A remote code execution vulnerability has been identified in Termix versions prior to 2.1.0. The issue arises in all Docker container management endpoints, where the 'containerId' URL path parameter and WebSocket message field are directly interpolated into shell commands. This interpolation occurs without any sanitization or validation, allowing authenticated attackers to inject arbitrary operating system commands. The injected commands are executed on remote servers via SSH, potentially leading to a full compromise of the managed infrastructure.

Impact

Exploitation of this vulnerability allows for remote code execution on any managed server connected via SSH, with the executed commands running under the SSH user's privileges, which are often root. This could result in a complete compromise of the affected infrastructure.

Reproduction

To reproduce this vulnerability, send a request to one of the affected Docker container management endpoints, such as '/docker/containers/<session-id>/<malicious-container-id>/logs'. The 'containerId' parameter can be crafted to include injected commands, such as '$(id>/tmp/pwned)', which would execute the 'id' command on the remote server and redirect the output to a temporary file.

Remediation

Users are advised to validate the 'containerId' parameter against a specified regex pattern before use, or to utilize the Docker Engine API via HTTP instead of executing shell commands.