<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Emissary - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/emissary/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 09 Jan 2024 14:30:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/emissary/feed.xml" rel="self" type="application/rss+xml"/><item><title>Emissary Executrix OS Command Injection Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2024-01-09-emissary-executrix-injection/</link><pubDate>Tue, 09 Jan 2024 14:30:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-09-emissary-executrix-injection/</guid><description>A vulnerability in Emissary's Executrix class allows for arbitrary OS command execution by injecting shell metacharacters into the IN_FILE_ENDING or OUT_FILE_ENDING configuration values, leading to code execution within the JVM's security context.</description><content:encoded><![CDATA[<p>Emissary, a data processing framework, contains a critical OS command injection vulnerability in its <code>Executrix</code> class. This flaw arises from the unsafe construction of shell commands where user-controlled configuration values, specifically <code>IN_FILE_ENDING</code> and <code>OUT_FILE_ENDING</code>, are directly incorporated into a <code>/bin/sh -c</code> command string without proper sanitization or escaping. An attacker with the ability to modify place configurations can inject arbitrary shell commands by setting these configuration values to malicious sequences. The vulnerability, identified in Emissary versions up to 8.42.0-SNAPSHOT, requires no API or network access and is triggered when the affected place processes any payload. This framework-level defect poses a significant risk as it allows for unauthenticated remote code execution within the JVM's security context.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains access to modify the configuration of an Emissary &quot;place&quot;, typically through compromised credentials or a separate vulnerability allowing configuration changes.</li>
<li>The attacker sets the <code>IN_FILE_ENDING</code> or <code>OUT_FILE_ENDING</code> configuration value for a vulnerable place (e.g., <code>UnixCommandPlace</code>) to a malicious string containing shell metacharacters, such as backticks for command substitution.</li>
<li>The Emissary server is restarted or reloads the modified configuration, applying the attacker-controlled <code>IN_FILE_ENDING</code> or <code>OUT_FILE_ENDING</code> value.</li>
<li>A file is placed into the Emissary pickup directory, triggering the pipeline processing.</li>
<li>The file is routed through the configured places, eventually reaching the place with the malicious <code>IN_FILE_ENDING</code> or <code>OUT_FILE_ENDING</code> value.</li>
<li>The <code>Executrix.getCommand()</code> method constructs a shell command that includes the unsanitized <code>IN_FILE_ENDING</code> or <code>OUT_FILE_ENDING</code> value. The injected shell metacharacters are interpreted by the shell.</li>
<li>The constructed command is executed via <code>/bin/sh -c</code>, resulting in the attacker-specified commands being executed on the system with the privileges of the Emissary process.</li>
<li>The attacker achieves arbitrary code execution, potentially leading to data exfiltration, system compromise, or denial of service.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability allows an attacker to execute arbitrary OS commands on the Emissary server, leading to full system compromise. The vulnerability affects all Emissary deployments where place configurations can be modified. The impact includes potential data breaches, malware installation, and complete control over the affected server. Given the nature of Emissary as a data processing framework, successful exploitation could allow attackers to compromise sensitive data being processed.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply input validation and sanitization to the <code>IN_FILE_ENDING</code> and <code>OUT_FILE_ENDING</code> configuration parameters to prevent shell injection.</li>
<li>Deploy the Sigma rule <code>Detect Emissary InfileEnding OutfileEnding Injection Attempt</code> to detect attempts to exploit this vulnerability by monitoring for shell metacharacters in configuration files.</li>
<li>Implement strict access controls to limit who can modify place configurations in Emissary, as this is the primary attack vector.</li>
<li>Enable DEBUG level logging in Emissary to expose the assembled shell command strings. This allows for forensic analysis and detection of injection attempts.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>emissary</category><category>command-injection</category><category>executrix</category><category>ghsa-3p24-9x7v-7789</category></item></channel></rss>