After a talk, a blog post, and public publication, the RCE exploit is still open for discussion. The maintainers of the WebPageTest project seem to be ignoring a serious remote code execution (RCE) vulnerability, despite a researcher’s best efforts at disclosure.
A pre-authentication RCE vulnerability in the open source project WebPageTest. It was identified by ManoMano researcher Louka “Laluka” Jacques-Chevallier and was discussed in a blog post published on September 23.
Additionally, a lecture about the research was presented at DEFCON Paris.
WebPageTest was created by Catchpoint and dates back to the 1990s and dial-up modem era. It has now been developed into a programme for evaluating the speed and functionality of website code for optimization needs.
The researcher claims that this programme has historically been “prone” to security problems due to a lack of code and container updates, obsolete components that were left unpatched against known vulnerabilities, and the “heavy use of stinky PHP code.”
In October 2021, WebPageTest’s v22.01 stable release was released.
WebPageTest has previously been reported to contain server-side request forgery (SSRF) vulnerabilities, flaws that allow attackers to send successful requests through a server-side application to an undesired site or resource.
Laluka’s study was concentrated on a recently found SSRF weakness.
In less than 15 minutes, Laluka found an SSRF vulnerability after looking at the software’s source code and doing crawling and fuzzing tests. Although the SSRF was restricted to an HTTP scheme, the underlying code surprised the cybersecurity researcher in additional ways.
Under the microscope
When Laluka looked more closely, it found a number of problems, including PHP code. It might launch a payload by using a slash in the path, file write faults, and sanitization errors. The researcher eventually succeeded in pushing a command injection, building a reverse shell, taking advantage of JSON file jobs, and achieving RCE.
If the Beanstalkd work queue engine is in use, it might also be able to take advantage of the RCE. Laluka claims that even if they are not present in the default setups, the SSRF and command injection flaws might still be used to inject a new, malicious task and force the worker to use the file.
By May 25, the researcher had confirmed the entire RCE exploit chain after discovering the first SSRF flaw on April 15. The lines of communication were noted as being “very laborious” even though Catchpoint reacted on June 15.
‘Open bag’
Even after delivering a video Proof-of-Concept (PoC) and the technical details of the problem. The vendor did not reply until July 28, when Catchpoint proposed a $300 “large” bounty programme award.
Although Laluka offered to assist with patch validation, nothing has been heard since. He was compensated, but more than 90 days have passed with no sign of a fix.
Laluka told, “I think that this software can be incredibly helpful for developers and site reliability engineers. But that the coding isn’t even following acceptable principles.” It mainly consists of characteristics in an open bag.
