Security researchers praise project maintainers for fixing RCE bug that could have been exploited at scale

Vulnerabilities in the popular Tiny Tiny RSS (TT-RSS) feed reader that posed a remote code execution risk and might have being exploited at scale have been resolved.

A series of problems in TT-RSS were discovered after a systematic evaluation by security researchers Daniel Neagaru and Benjamin Nadarević at security start-up DigeeX.

Andrew Dolgov, TT-RSS’ main developer, acted promptly to triage and resolve all the issues reported, allowing the researchers to go public with a detailed write-up of their findings this week.

DigeeX praised the developers’ handling of the disclosure process.

“We do not know how other RSS readers compare to TT-RSS, but we know the developer has fixed all of our findings and more, and it’s moving the project into the right direction,” Neagaru told The Daily Swig.

Chain of bugs

In their write-up, the researchers explain how they uncovered a succession of security vulnerabilities in TT-RSS through a mixture of source code analysis and looking at the behavior of the web app.

In the process they discovered two cross-site scripting (XSS), server-side request forgery (SSRF), and Local File Inclusion (LFI) flaws in TT-RSS.

Painstaking work revealed that these security bugs could be used in combination to achieve remote code execution (RCE) in the default docker installation of TT-RSS.

The impact of the resolved vulnerabilities is severe because it might have been abused to infect TT-RSS servers en mass without targeting each user individually, Neagaru explained.

“To exploit the remote code execution flaw, an attacker needs to have access to a popular feed, either his own, or from a compromised website,” Neagaru said.

Read more of the latest open source software security news

“Our research was focused on exploiting the recommended installation method, which is using docker, with one of the containers running PHP-FPM on port 9000.

“In such situations, it’s possible for a threat actor with access to the popular feed, to create a new malicious article, that will abuse libcurl support for Gopher protocol, to craft a custom FastCGI packet, send it to PHP-FPM, and install a backdoor on the server,” he added.

Even when conditions aren’t met, Neagaru warned, an attacker can abuse the flaw to perform LFI/SSRF, and “combined with the XSS flaws we found, to steal sensitive data from the server”.

Tiny Tiny RSS is a free and open source web-based RSS and Atom feed reader and aggregator. The technology works as a server-side AJAX-powered application.

YOU MIGHT ALSO LIKE Security researchers resolve crypto flaws in JHipster apps