Skip to content

Security: Critical RCE via unsafe deserialization and command execution #204

Description

@nkar123412-hub

I have discovered a critical Remote Code Execution (RCE) vulnerability in the hexstrike_server.py script.

Vulnerability Detail

The script utilizes unsafe practices for handling user-provided commands, particularly within the deserialization and command execution functionalities.

  1. **Unsafe Pickle Deserialization ( method):

    • The method generates a Python pickle payload that executes arbitrary commands via .
    • The variable is taken directly from user input without proper sanitization or validation.
  2. **Unsafe JSON Deserialization ( method):

    • The test payload for JSON deserialization directly embeds where the command part could be manipulated.
    • Crucially, the variable used to construct this payload is not sanitized, allowing an attacker to inject arbitrary commands.

Impact

An unauthenticated attacker can send a specially crafted request to the server, triggering the deserialization of a malicious payload. This allows the attacker to execute arbitrary commands on the server with the privileges of the running HexStrike process, leading to a full system compromise.

Recommended Fix

  1. Avoid Unsafe Deserialization: Completely avoid deserializing untrusted data using . If JSON is used, ensure all values that could be interpreted as commands are rigorously sanitized or use a strict schema that prevents such types.
  2. Sanitize User Input: All inputs that are used in command execution (, , etc.) must be strictly validated and sanitized.
  3. Use with Lists: When executing external commands, always use the list-based argument format (e.g., ) instead of passing a shell command string ( or ).
  4. Implement Allow-listing: Maintain a strict allow-list of permitted commands and arguments for security-sensitive operations.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions