Chaosblade versions 0.3 to 1.7.3
Starting from version 0.3, Chaosblade supports server mode, which exposes an HTTP service that allows users to interact with Chaosblade via HTTP requests. However, this server mode lacks authentication, and HTTP parameters are not validated before being passed to exec.CommandContext for execution.
This vulnerability allows unauthenticated attackers to remotely invoke the HTTP service and execute arbitrary commands on any Chaosblade instance with server mode enabled. This could lead to unauthorized access and control over the host system running Chaosblade.
Server mode has been disabled in version 1.7.4, and users are advised to upgrade to version 1.7.4. For more details, please visit the Chaosblade v1.7.4 release page.
The server mode registers the route /chaosblade and accepts cmd parameters.
cli/cmd/server_start.go
There is no filtering applied, and then it passes to channel.NewLocalChannel().Run(ctx, path.Join(util.GetProgramPath(), "blade"), cmds[0]) for execution.
This function is located in the package github.com/chaosblade-io/chaosblade-spec-go in the file channel/local_unixs.go.
The run function directly calls execScript(ctx, script, args), where args is cmd[0].