Overview
CVE-2023-50094 is a critical authenticated command injection vulnerability discovered in reNgine, an automated reconnaissance framework widely used by penetration testers and bug bounty hunters. This flaw allows authenticated users to execute arbitrary shell commands on the reNgine host, leading to full system compromise in vulnerable configurations.
Due to the nature of reNgine as a network-facing recon tool with command-line integration, exploitation of this vulnerability could provide attackers with persistent shell access, privilege escalation pathways, and data exfiltration opportunities.
Vulnerability Summary
| Field | Detail |
|---|---|
| CVE ID | CVE-2023-50094 |
| Severity | Critical (CVSS Score: 8.8) |
| Attack Vector | Network |
| Privileges Required | Low (Authenticated User) |
| User Interaction | None |
| Impact | Remote Code Execution (RCE) |
| Affected Endpoint | /api/tools/waf_detector/ |
Affected Products
| Product | Affected Versions |
|---|---|
| reNgine | v1.2.0 to v2.0.2 |
How the Exploit Works
The vulnerability is located in the WAF detection API route (/api/tools/waf_detector/) where the url parameter is directly interpolated into a shell command using Python’s subprocess.check_output with shell=True.
Because the input is not sanitized, attackers can inject arbitrary commands using shell metacharacters like ;, &&, or |. If the application is running with elevated privileges (e.g., as root inside Docker), this can lead to full system control.
Conceptual Exploit Example
Here is a conceptual example demonstrating how an attacker could exploit the flaw:
No phone number, email, or personal info required.
In this example, the command id is injected</a> via the <code data-start="2461" data-end="2466">url parameter and executed on the server. An attacker could replace this with any payload, such as:
Resulting in full remote code execution on the server.
Recommendations for Mitigation
To mitigate the risks associated with CVE-2023-50094:
-
Update reNgine Immediately
Upgrade to version 2.1.2 or later, which properly sanitizes inputs and removes unsafe shell invocations. -
Restrict API Access
Limit access to reNgine’s API endpoints via IP whitelisting, VPN, or reverse proxies. -
Run with Least Privilege
Ensure the reNgine process does not run with elevated privileges. Consider sandboxing it with Docker or similar container isolation. -
Audit User Roles
Reassess access permissions for users of the reNgine interface and APIs. -
Sanitize User Input
Never pass user-controlled input to shell commands. Use safe execution patterns such as argument arrays withsubprocess.run()(withoutshell=True).
Timeline and Response
-
Reported: July 2024
-
Patched: July 23, 2024
-
Fixed In: reNgine v2.1.2
-
Disclosed By: GitHub Security Advisory Team
Closing Thoughts
CVE-2023-50094 reinforces the importance of never trusting user input, especially when invoking system-level operations in web-based automation tools. In highly extensible systems like reNgine, command injection flaws can turn into full takeover vectors if left unaddressed.
Users and organizations relying on reNgine should patch immediately and audit all instances to prevent unauthorized access or persistence from previously exploited systems.