Developers patch vulnerability in open source project within 24 hours
A remote code execution (RCE) vulnerability that could expose a users’ cloud assets has been patched in the open source, Elixir-based Paginator project.
Discovered by security expert Peter Stöckli, the bug could be exploited by attackers to tamper with or hijack cloud assets belonging to companies utilizing Paginator.
Paginator is software for implementing cursor-based pagination in Elixir Ecto, a data mapping tool. The project is maintained by Duffel, a UK-based developer of travel tools and flight search software.
“Since Duffel seemed to use Paginator for its own REST API it seems likely that an attacker exploiting this vulnerability would have been able to execute code on Duffel’s (cloud) assets,” the researcher noted.
The RCE bug can be exploited due to how the binary_to_term function was combined with untrusted user data. Input parameters sent to the paginate() function, such as user-provided before-and-after cursors, could be used to trigger an exploit.
Stöckli created two proof-of-concept exploits to demonstrate how the vulnerability could be weaponized, one of which started xcalc and the other, print-stacktrace.
These create Base64 encoded exploit payloads – more likely to execute automatically due to Elixier’s Enumerable protocol – and also contain anonymous functions that are called by the protocol to trigger on a vulnerable server.
The vulnerability has been patched in version 1.0.0 of Paginator. The fixed version uses a dependency that requires Elixir version 1.5 and above.
The researcher noted that this is not the first incident where binary_to_term and untrusted data sources could lead to severe vulnerabilities. Four years ago, for example, Griffin Byatt discovered a separate vulnerability in the Elixir Plug caused by the Enumerable protocol.
“The official Erlang documentation does ‘warn’ about binary_to_term/1, and recommends binary_to_term/2,” Stöckli says.
“However, using binary_to_term/2 is not a protection against the code execution shown here. In fact, the paginator library used binary_to_term/2 with the safe option. Using binary_to_term/2 with the safe option only protects against certain Denial of Service attacks.”
Mitigations are documented here.
Speaking to The Daily Swig, Stöckli said it is “hard to say” what the RCE’s real-world applications could have beyond Duffel systems, and there may not be any “as far as he knows”.
After Stöckli privately disclosed the vulnerability to Duffel, the UK startup took less than a day to take action and patch the security issue. In addition, despite not having an official bug bounty program, the company paid the researcher a £1000 reward.
Stöckli donated part of the bug bounty to a Lebanon fund designed to assist victims affected by the August Beirut port explosion.
The Daily Swig has reached out to Duffel for comment and will update this article accordingly.