I have discovered a critical Remote Code Execution (RCE) vulnerability in the hexstrike_server.py script.
Vulnerability Detail
The script utilizes unsafe practices for handling user-provided commands, particularly within the deserialization and command execution functionalities.
-
**Unsafe Pickle Deserialization ( method):
- The method generates a Python pickle payload that executes arbitrary commands via .
- The variable is taken directly from user input without proper sanitization or validation.
-
**Unsafe JSON Deserialization ( method):
- The test payload for JSON deserialization directly embeds where the command part could be manipulated.
- Crucially, the variable used to construct this payload is not sanitized, allowing an attacker to inject arbitrary commands.
Impact
An unauthenticated attacker can send a specially crafted request to the server, triggering the deserialization of a malicious payload. This allows the attacker to execute arbitrary commands on the server with the privileges of the running HexStrike process, leading to a full system compromise.
Recommended Fix
- Avoid Unsafe Deserialization: Completely avoid deserializing untrusted data using . If JSON is used, ensure all values that could be interpreted as commands are rigorously sanitized or use a strict schema that prevents such types.
- Sanitize User Input: All inputs that are used in command execution (, , etc.) must be strictly validated and sanitized.
- Use with Lists: When executing external commands, always use the list-based argument format (e.g., ) instead of passing a shell command string ( or ).
- Implement Allow-listing: Maintain a strict allow-list of permitted commands and arguments for security-sensitive operations.
I have discovered a critical Remote Code Execution (RCE) vulnerability in the hexstrike_server.py script.
Vulnerability Detail
The script utilizes unsafe practices for handling user-provided commands, particularly within the deserialization and command execution functionalities.
**Unsafe Pickle Deserialization ( method):
**Unsafe JSON Deserialization ( method):
Impact
An unauthenticated attacker can send a specially crafted request to the server, triggering the deserialization of a malicious payload. This allows the attacker to execute arbitrary commands on the server with the privileges of the running HexStrike process, leading to a full system compromise.
Recommended Fix