WASM

it was initially revealed that there is wasmer installed in the system. Additionally, I found out that the admin user has sudo privileges to execute a Go program located at /opt/wasm-functions/index.go

admin@ophiuchi:/opt/wasm-functions$ ll
total 3928
drwxr-xr-x 3 root root    4096 Oct 14  2020 ./
drwxr-xr-x 5 root root    4096 Oct 14  2020 ../
drwxr-xr-x 2 root root    4096 Oct 14  2020 backup/
-rw-r--r-- 1 root root      88 Oct 14  2020 deploy.sh
-rwxr-xr-x 1 root root 2516736 Oct 14  2020 index*
-rw-rw-r-- 1 root root     522 Oct 14  2020 index.go
-rwxrwxr-x 1 root root 1479371 Oct 14  2020 main.wasm*

The /opt/wasm-functions directory is where the Go program is located along with some other interesting files

index.go

admin@ophiuchi:/opt/wasm-functions$ cat /opt/wasm-functions/index.go
package main
 
import (
	"fmt"
	wasm "github.com/wasmerio/wasmer-go/wasmer"
	"os/exec"
	"log"
)
 
 
func main() {
	bytes, _ := wasm.ReadBytes("main.wasm")
 
	instance, _ := wasm.NewInstance(bytes)
	defer instance.Close()
	init := instance.Exports["info"]
	result,_ := init()
	f := result.String()
	if (f != "1") {
		fmt.Println("Not ready to deploy")
	} else {
		fmt.Println("Ready to deploy")
		out, err := exec.Command("/bin/sh", "deploy.sh").Output()
		if err != nil {
			log.Fatal(err)
		}
		fmt.Println(string(out))
	}
}

The content of the index.go file is shown above

ChatGPT breaks down the program. The program does the following:

reads and instantiates a WASM binary; main.wasm
checks for the value of “info” export from the instantiated module
- if the value ‘s 1 print out “Ready to deploy” and execute the deploy.sh file using exec.Command
- else print out “Not ready to deploy”

deploy.sh

admin@ophiuchi:/opt/wasm-functions$ cat deploy.sh 
#!/bin/bash
 
# ToDo
# Create script to automatic deploy our new web at tomcat port 8080

While the deploy.sh file is pretty much empty, the comments gives away that it was scheduled to be deployed. At least point, I’d assume that the main.wasm WASM binary contains the “new web”

Assessment

admin@ophiuchi:/opt/wasm-functions$ sudo -u root /usr/bin/go run /opt/wasm-functions/index.go
Not ready to deploy

I ran the sudo-privileged command to see how it would behave and the output shows that Not ready to deploy That implies that the value of “info” export is not equal to 1 as the index.go file suggests aboove

It surely uses the exec.Command function to run the bash script; deploy.sh The interesting thing is that the deploy.sh file is defined without an absolute path

Same thing for the main.wasm WASM binary. No absolute path

This certainly is a privilege escalation vector. I may be able to get code execution my crafting my own main.wasm and deploy.sh

InfoSec LAB

Explorer

Ophiuchi_WASM

WASM

index.go

deploy.sh

Assessment

Interactive Graph View

Table of Contents

Backlinks