CVE-2022-41958 - Privilege Escalation in Super-Xray Before .7 via YAML Config Injection

Super-xray is a widely used open-source web vulnerability scanner that's often employed by penetration testers and bug bounty hunters. In late 2022, a security issue was discovered affecting versions of super-xray prior to .7. The root cause: it trusted configuration files that were often assumed to be safe, but could be modified by a local attacker to compromise the program and potentially escalate privileges. This post will go into the details of CVE-2022-41958, how the exploitation works, example attacks, and what you should do next.

What is the Vulnerability?

The super-xray tool uses a YAML file to store its configurations. In versions prior to .7, the application doesn't properly validate the content of this file. YAML, when deserialized in certain languages like Python and Go, can lead to code execution if not handled carefully. Thus, a maliciously crafted config file could let a local attacker run arbitrary code as the user who launches super-xray.

References

- GitHub Advisory
- super-xray commit fixing the issue
- CVE Entry

How the Exploit Works

To exploit this bug, you need local access to a user's machine (or access to where they keep their config.yaml for super-xray). You modify this file to include malicious entries.

Here’s a super simplified example of what a malicious YAML config might look like

# config.yaml
some_setting: !!python/object/apply:os.system ["echo PWNED > /tmp/pwned.txt"]

> Note: This sample assumes a Python-like loader for illustrative purposes. super-xray is typically written in Go, which can have similar deserialization risks if not handled carefully.

If super-xray loads this config file unsafely, the attacker’s code runs every time a user starts the tool. This could write files, open network connections, or do much worse, all silently in the background.

Let's walk through a basic attack

1. Attacker gets shell/local access (could be through another exploit, compromised credentials, or physical access).

User runs super-xray, expecting a normal scan.

4. Malicious code executes under the user’s privileges. On a shared pen-test laptop, this could mean leaking API keys, writing files, or establishing further backdoors.

There are no remote vectors—this is strictly a local privilege escalation. But in collaborative environments, cloud VMs, or where many scripts call super-xray, the impact is real.

Here’s a Go code snippet demonstrating how unsafe YAML loading can result in code execution

package main

import (
    "gopkg.in/yaml.v2"
    "io/ioutil"
    "fmt"
    "os/exec"
)

type Config struct {
    SomeSetting string yaml:"some_setting"
}

func main() {
    data, _ := ioutil.ReadFile("config.yaml")
    var cfg Config
    yaml.Unmarshal(data, &cfg) // unsafe if types are not strictly enforced
    fmt.Println("Setting:", cfg.SomeSetting)
    // In real world, attacker could add fields with malicious values.
}

If an attacker can control what gets parsed by yaml.Unmarshal, and the struct or parser supports tags like !!map or !!python/object/apply, escalating privileges becomes trivial.

Patch Details

This issue was fixed in commit 4dd5966. The patch:

Will be shipped in super-xray versions .7 and up.

Users should upgrade immediately. There are no workarounds—if you can’t upgrade, you are at risk if anyone untrusted can write to your config.

Final Thoughts

CVE-2022-41958 is a textbook example of how trusting local “config” data can be dangerous, especially in tools run with elevated privileges or by many users. If you use super-xray, patch now and audit your environment.

Further Reading

- YAML Deserialization Attacks Explained
- super-xray GitHub Repo

Timeline

Published on: 11/25/2022 18:15:00 UTC
Last modified on: 11/30/2022 20:16:00 UTC