CVE-2022-41958: Super-XRay Web Vulnerability Scanning Tool YAML Configuration Abuse

Today, we'll be discussing a newly-found vulnerability in the Super-XRay web vulnerability scanning tool that has the potential to compromise the integrity of the application. The issue, designated as CVE-2022-41958, stems from the fact that Super-XRay versions prior to .7 didn't properly handle untrusted input in their program configuration, which is conveniently stored in a YAML file. We'll go over the details of the exploit, show a sample code snippet, and provide you with essential links to original references to ensure the security of your systems.

Exploit Details

Super-XRay is a popular web vulnerability scanning tool that relies on its YAML configuration files to function correctly. Unfortunately, in versions of the tool prior to .7, these files were assumed to contain only trusted input. However, this isn't always the case. As a result, an attacker with local access to the configuration file could manipulate it, potentially compromising the program's behavior and undermining its security measures.

This vulnerability was identified and addressed in commit 4dd5966, with the fix slated for inclusion in the upcoming releases. If you're using an affected version, it's strongly advised to upgrade as soon as possible to patch this issue. At the moment, there are no known workarounds for this particular vulnerability.

Here is an example of how the config file may look like in the affected version

super_xray:
  scanner_options:
    trusted_input: true

An attacker could abuse this file by changing the trusted_input value to false or modifying other configurations they see fit, which leads to a comprise of the scanning tool.

1. Super-XRay GitHub Repository: https://github.com/super-xray/super-xray

2. Commit Fixing the Vulnerability (Commit 4dd5966): https://github.com/super-xray/super-xray/commit/4dd5966

3. CVE-2022-41958 Official CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41958

Conclusion

In summary, CVE-2022-41958 is a significant security vulnerability affecting Super-XRay web vulnerability scanning tool. If you're using a version prior to .7, it's important to address this issue and upgrade as the developers have already released a fix, available in the provided GitHub commit 4dd5966. However, be aware that there are no existing workarounds for this problem, making it essential to stay vigilant and keep your systems up to date with the latest security patches.

Timeline

Published on: 11/25/2022 18:15:00 UTC
Last modified on: 11/30/2022 20:16:00 UTC