Package: src:bettercap
Version: 2.33.0-2
Severity: critical
Dear Debian Bettercap Maintainer,
Bettercap 2.33.0-2 installs and starts a systemd service (bettercap.service)
running as root. The service enables the REST API (api.rest) on
127.0.0.1:8081 with authentication disabled by default because both
api.rest.username and api.rest.password are empty.
As a result, any local unprivileged user can send a POST request to
/api/session with a payload such as:
{"cmd":"!id"}
The ! command execution feature causes arbitrary shell commands to be
executed as root, resulting in a local privilege escalation.
The service logs explicitly report that authentication is disabled when the
username/password are unset.
Impact:
-
Local privilege escalation to root.
-
Arbitrary command execution as root.
-
No authentication required.
-
CVSS v3.1: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
-
Related CWEs: CWE-306, CWE-78.
Suggested fix:
-
Do not install or enable bettercap.service by default, as it is not part
of the documented installation procedure.
-
Alternatively, configure the service to require REST API authentication
by default and/or avoid running it as root unless strictly necessary.
A complete proof-of-concept is available and can be provided if needed.
Regards,
--
Raffaele Forte
Cybersecurity Specialist
Founder at BackBox.org <https://www.backbox.org>