X41 D-Sec GmbH Security Advisory: X41-2017-009

Remote command execution in Shadowsocks auto-ss

Overview

Summary and Impact

The Shadowsocks wrapper “auto-ss” logs into the website “https://www.ss-link.com/login” and parses a table with Shadowsocks login credentials and information. It starts Shadowsocks to create a connection with the parsed credentials and server. When spawning a Shadowsocks connection, the lines 106-109 of auto_ss.py execute:

p = subprocess.Popen(
“exec “ + ss_local_cmd, shell=True, stdout=subprocess.PIPE,
stderr=subprocess.STDOUT
)

If an attacker is able to modify “https://www.ss-link.com” due to a man in the middle attack or a vulnerability on the web page, the parameters could get modified to execute a command on the machine running ShadowSocks auto-ss. E.g. “; #" could be attached to or used as an parameter to execute code on target machines.

Product Description

Auto-ss is a tool to distribute Shadowssocks server configurations. It is not part of Shadowsocks itself.

Workarounds

There is no workaround available, do not use auto-ss until a patch is released. Passing untrusted input as arguments to shell commands should be avoided.

About X41 D-Sec GmbH

X41 D-Sec is a provider of application security services. We focus on application code reviews, design review and security testing. X41 D-Sec GmbH was founded in 2015 by Markus Vervier. We support customers in various industries such as finance, software development and public institutions.

Timeline