A flaw was found in Cockpit. This vulnerability allows a remote attacker
to achieve arbitrary command execution on the host by exploiting
unsanitized user-controlled parameters within crafted links in the
system logs user interface (UI). An attacker can inject shell
metacharacters and command substitutions into these parameters, leading
to the execution of arbitrary shell commands on the affected system.
This could result in a complete system compromise. [1]
The exploit requires the user to be logged in to Cockpit for the exploit
to be successful. This has been fixed in Cockpit 362, specifically the
linked commit. [2]
An POC is available in the test commit, an example of the exploit is
https://cockpiturl:9090/system/logs#/?boot=0;touch${IFS}/tmp/pwned;&priority=err.
[3]
[1] https://bugzilla.redhat.com/show_bug.cgi?id=2451155
[2]
https://github.com/cockpit-project/cockpit/commit/e3a47d70f99a0dbbb427b3146ae9571cecc44296
[3]
https://github.com/cockpit-project/cockpit/commit/7b401c90fd775dd89ffce194c947ff2e74f5e5ee
