{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/archivebox--0.8.6rc0/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["archivebox (\u003c= 0.8.6rc0)"],"_cs_severities":["critical"],"_cs_tags":["rce","vulnerability","archivebox"],"_cs_type":"advisory","_cs_vendors":["ArchiveBox"],"content_html":"\u003cp\u003eArchiveBox versions up to and including 0.8.6rc0 are susceptible to a critical remote code execution (RCE) vulnerability. The vulnerability stems from the \u003ccode\u003e/add/\u003c/code\u003e endpoint (AddView in \u003ccode\u003ecore/views.py\u003c/code\u003e), which accepts a \u003ccode\u003econfig\u003c/code\u003e JSON field. This field is merged into the crawl configuration without proper validation. When \u003ccode\u003ePUBLIC_ADD_VIEW=True\u003c/code\u003e, this allows unauthenticated users to inject arbitrary tool arguments, leading to command execution on the server. This is achieved by manipulating environment variables used by archive plugins like yt-dlp and gallery-dl. The endpoint is also \u003ccode\u003e@csrf_exempt\u003c/code\u003e, further easing exploitation. Exploitation allows attackers to execute arbitrary commands on the ArchiveBox server, potentially leading to complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker (when \u003ccode\u003ePUBLIC_ADD_VIEW=True\u003c/code\u003e) sends a POST request to the \u003ccode\u003e/add/\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker includes a \u003ccode\u003econfig\u003c/code\u003e parameter in the POST data containing a JSON object.\u003c/li\u003e\n\u003cli\u003eThis JSON object includes a key like \u003ccode\u003eYTDLP_ARGS_EXTRA\u003c/code\u003e or \u003ccode\u003eGALLERYDL_ARGS_EXTRA\u003c/code\u003e with a crafted value.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eAddView\u003c/code\u003e in \u003ccode\u003ecore/views.py\u003c/code\u003e extracts the \u003ccode\u003econfig\u003c/code\u003e data without validation.\u003c/li\u003e\n\u003cli\u003eThe extracted configuration is merged into the crawl configuration.\u003c/li\u003e\n\u003cli\u003eThe crawl configuration is exported as environment variables.\u003c/li\u003e\n\u003cli\u003eThe yt-dlp or gallery-dl plugin executes, using the injected environment variables as arguments.\u003c/li\u003e\n\u003cli\u003eThe attacker-controlled arguments, such as \u003ccode\u003e--exec \u0026quot;id \u0026gt; /tmp/pwned\u0026quot;\u003c/code\u003e, are passed to yt-dlp or gallery-dl, resulting in arbitrary command execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows unauthenticated attackers to execute arbitrary commands on the ArchiveBox server. The impact includes potential for complete system compromise, data exfiltration, or denial-of-service. This vulnerability is particularly critical when the \u003ccode\u003ePUBLIC_ADD_VIEW\u003c/code\u003e setting is enabled, which is a common configuration for bookmarklet usage, making the attack pre-authentication.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of ArchiveBox beyond 0.8.6rc0 to remediate CVE-2026-42601.\u003c/li\u003e\n\u003cli\u003eAs a temporary mitigation, disable the \u003ccode\u003ePUBLIC_ADD_VIEW\u003c/code\u003e setting to prevent unauthenticated access to the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect ArchiveBox Configuration Injection\u0026rdquo; to identify attempts to inject malicious configurations via the \u003ccode\u003e/add/\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003e/add/\u003c/code\u003e containing a \u003ccode\u003econfig\u003c/code\u003e parameter with suspicious values in keys such as \u003ccode\u003eYTDLP_ARGS_EXTRA\u003c/code\u003e or \u003ccode\u003eGALLERYDL_ARGS_EXTRA\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"/briefs/2024-01-archivebox-rce/","summary":"ArchiveBox versions 0.8.6rc0 and earlier are vulnerable to remote code execution (RCE) due to unvalidated configuration overrides in the AddView (/add/ endpoint) allowing arbitrary command execution.","title":"ArchiveBox RCE via Unvalidated Configuration Overrides","url":"https://feed.craftedsignal.io/briefs/2024-01-archivebox-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Archivebox (\u003c= 0.8.6rc0)","version":"https://jsonfeed.org/version/1.1"}