X41 D-Sec GmbH Security Advisory: X41-2017-007

Remote command execution in Shadowsocks ConnecTion


Summary and Impact

The Shadowsocks wrapper “ShadowSocks ConnecTion” crawls a web page for Shadowsocks server credentials. This page is retrieved via unencrypted HTTP from URI “http://ss.ishadowx.com” as default. It starts Shadowsocks with the parsed credentials at line 98-101 in version 0.4, line 82-85 in version 0.5 using check_call(sss, shell=True).

If an attacker is able to modify the parsed web page due to a man in the middle attack, a vulnerability on the web page or through a malicious web page itself, the parameters could be modified to execute a command on the machine running ShadowSocks ConnecTion. E.g. “; #" could be attached to or used as an parameter to execute code on target machines.

Product Description

ShadowSocks ConnecTion is a wrapper tool for Shadowsocks to consistently bypass firewalls. It parses a given website for Shadowsocks server credentials and uses the credentials to connect to a Shadowsocks server.


Use a ShadowSocks ConnecTion version with the patch from commit “https://github.com/wanjunzh/ssct/commit/f674f7dfe719b41da1fd502f2f17f34d31d0a1d0”.

About X41 D-Sec GmbH

X41 D-Sec is a provider of application security services. We focus on application code reviews, design review and security testing. X41 D-Sec GmbH was founded in 2015 by Markus Vervier. We support customers in various industries such as finance, software development and public institutions.