CVE-2024-53442 - Command Injection on Whapa
Command Injection - Opening HTML Report Functionality
Repository URL: https://github.com/B16f00t/whapa/tree/master Code URL: https://github.com/B16f00t/whapa/blob/master/whapa-gui.py#L787
def report(self):
"""Open the report"""
self.path = filedialog.askopenfilename(title="Select file", filetypes=(("html files", "*.html"), ), initialdir = "report")
if not self.path:
return
if system == "Linux":
os.system('xdg-open "{}"'.format(self.path))
else:
os.startfile(self.path)
When opening HTML reports within Whapa, a specially crafted filename could be used to gain command injection on Linux systems due to how the filename is immediately passed to os.system(xdg-open <filename>)
without sanitization.
Proof of Concept
A specially crafted filename can be created via the following command: touch 'report"; touch exploit.txt; ".html'
. Then within Whapa, select Open Report & open up the file we just created. After erroring out, our exploit.txt
file will then be created.