OneUptime コマンドインジェクション脆弱性
A critical command injection vulnerability, identified as CVE-2026-27728, has been discovered in OneUptime, a platform for monitoring and managing online services. This flaw allows authenticated users to execute arbitrary operating system commands on the Probe server, posing a significant risk of a full system takeover.
Organizations using versions prior to 10.0.7 are urged to patch immediately.
脆弱性の詳細
The vulnerability exists in the NetworkPathMonitor.performTraceroute() function within the OneUptime Probe Server component, which handles network traceroute operations and accepts user-controlled input, specifically the destination field from a monitor’s configuration.
The root cause lies in how the application processes this input. The vulnerable code uses the exec() function from Node.js’s child_process module to spawn shell commands. Because exec() executes commands within a shell environment, it interprets shell metacharacters like ;, |, &, $(), and backticks.
This allows an attacker to break out of the intended traceroute operation and inject their own malicious commands. While the intended functionality only allows users to configure monitoring endpoints, this flaw enables any authenticated project user, even those with limited permissions, to achieve full remote code execution (RCE) on the underlying Probe server.
脆弱性の悪用
To exploit this vulnerability, an attacker requires low-level authentication as a project user. They can craft a malicious monitor configuration where the destination field includes shell metacharacters followed by arbitrary commands. For example, injecting example.com; cat /etc/passwd or $(malicious_command) would execute the injected command alongside the traceroute.
When the Probe server processes this monitor, the injected commands execute with the same privileges as the Probe server process. This can lead to a complete server compromise, allowing attackers to exfiltrate sensitive data or move laterally within the organization’s infrastructure.
脆弱性の修正と対策
OneUptime addressed this issue in version 10.0.7. The security patch replaces the vulnerable exec() function with execFile(). Unlike exec(), execFile() executes a specified file directly and passes arguments as an array rather than spawning a shell. This prevents the interpretation of shell metacharacters, effectively eliminating the command injection vector.
対策の推奨
- Patch Immediately: Upgrade OneUptime to version 10.0.7 or later to implement the secure execFile() function and destination validation.
- Audit Configurations: Review existing monitor configurations for any suspicious destination values containing special characters.
- Monitor Systems: Watch for unusual process spawning, unexpected network connections, or unauthorized file system modifications on Probe servers.
- Apply Workarounds: If immediate patching isn’t possible, isolate Probe servers, limit project user permissions to trusted individuals, and restrict network access to the servers.
元記事: https://gbhackers.com/oneuptime-command-injection-vulnerability/