X41 D-Sec GmbH Security Advisory: X41-2017-009
Severity Rating: High
Confirmed Affected Versions: 0.1.3
Confirmed Patched Versions: N/A
Vendor: Steven Han
Vendor URL: https://github.com/kirk91/ss-link-auto
Credit: X41 D-Sec GmbH, Niklas Abel
CVE: Not assgined yet
CVSS Score: 7.8
CVSS Vector: CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L
The Shadowsocks wrapper "auto-ss" logs into the website "https://www.ss-link.com/login" and parses a table with Shadowsocks login credentials and information. It starts Shadowsocks to create a connection with the parsed credentials and server. When spawning a Shadowsocks connection, the lines 106-109 of auto_ss.py execute: " p = subprocess.Popen( "exec " + ss_local_cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT ) "
If an attacker is able to modify "https://www.ss-link.com" due to a man in
the middle attack or a vulnerability on the web page, the parameters could
get modified to execute a command on the machine running ShadowSocks
auto-ss. E.g. ";
Auto-ss is a tool to distribute Shadowssocks server configurations. It is not part of Shadowsocks itself.
There is no workaround available, do not use auto-ss until a patch is released. Passing untrusted input as arguments to shell commands should be avoided.
X41 D-Sec is a provider of application security services. We focus on application code reviews, design review and security testing. X41 D-Sec GmbH was founded in 2015 by Markus Vervier. We support customers in various industries such as finance, software development and public institutions.
2017-09-29 Issues found
2017-10-05 Vendor contacted via mail
2017-11-07 Vendor contacted via GitHub
2017-12-07 Deadline for public release has been reached
2017-12-15 CVE ID requested
2017-12-18 Created public issue on GitHub
2017-12-18 Advisory release