X41 D-Sec GmbH Security Advisory: X41-2017-007
Remote command execution in Shadowsocks ConnecTion
Severity Rating: High
Confirmed Affected Versions: 0.4, 0.5
Confirmed Patched Versions: after commit f674f7dfe719b41da1fd502f2f17f34d31d0a1d0
Vendor URL: https://github.com/wanjunzh/ssct
Credit: X41 D-Sec GmbH, Niklas Abel
CVE: Not assgined yet
CVSS Score: 7.8
CVSS Vector: CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L
Summary and Impact
The Shadowsocks wrapper “ShadowSocks ConnecTion” crawls a web page for Shadowsocks server credentials. This page is retrieved via unencrypted HTTP from URI “http://ss.ishadowx.com” as default. It starts Shadowsocks with the parsed credentials at line 98-101 in version 0.4, line 82-85 in version 0.5 using check_call(sss, shell=True).
If an attacker is able to modify the parsed web page due to a man in the middle attack, a vulnerability on the web page or through a malicious web page itself, the parameters could be modified to execute a command on the machine running ShadowSocks ConnecTion. E.g. “;
ShadowSocks ConnecTion is a wrapper tool for Shadowsocks to consistently bypass firewalls. It parses a given website for Shadowsocks server credentials and uses the credentials to connect to a Shadowsocks server.
Use a ShadowSocks ConnecTion version with the patch from commit “https://github.com/wanjunzh/ssct/commit/f674f7dfe719b41da1fd502f2f17f34d31d0a1d0”.
About X41 D-Sec GmbH
X41 D-Sec is a provider of application security services. We focus on application code reviews, design review and security testing. X41 D-Sec GmbH was founded in 2015 by Markus Vervier. We support customers in various industries such as finance, software development and public institutions.
2017-09-29 Issues found
2017-10-05 Vendor contacted
2017-10-06 Vendor contacted, replied with PGP key
2017-10-11 Advisory was sent to Vendor
2017-11-07 0.5 still unpatched, sent a deadline of one month to the vendor
2017-12-07 Deadline for public release has been reached
2017-12-15 CVE ID requested
2017-12-18 Created public issue on GitHub
2017-12-18 Advisory release
2017-12-21 Issues fixed with commit f674f7dfe719b41da1fd502f2f17f34d31d0a1d0
2018-01-05 Advisory updated, patch confirmed