CVE-2024-3126
📋 TL;DR
This CVE describes a command injection vulnerability in the parisneo/lollms-webui application that allows remote attackers to execute arbitrary commands on the host system. The vulnerability affects all versions up to 9.5 and can be exploited by manipulating the 'xtts_base_url' parameter in the 'run_xtts_api_server' function.
💻 Affected Systems
- parisneo/lollms-webui
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining complete control over the host, data exfiltration, lateral movement, and persistent backdoor installation.
Likely Case
Remote code execution leading to service disruption, data theft, and potential cryptocurrency mining or ransomware deployment.
If Mitigated
Limited impact with proper network segmentation and input validation, potentially only affecting the application service account.
🎯 Exploit Status
Exploitation requires sending a crafted request to the vulnerable endpoint with malicious payload in the xtts_base_url parameter.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.6 and later
Vendor Advisory: https://github.com/parisneo/lollms-webui/commit/41dbb1b3f2e78ea276e5269544e50514252c0c25
Restart Required: Yes
Instructions:
1. Update to version 9.6 or later using 'git pull' from the repository. 2. Restart the lollms-webui service. 3. Verify the fix by checking the commit includes proper input sanitization in lollms_xtts.py.
🔧 Temporary Workarounds
Disable XTTS functionality
allTemporarily disable the vulnerable XTTS feature until patching is possible.
Edit configuration to set enable_xtts=false or remove XTTS-related endpoints
Network isolation
linuxRestrict network access to the lollms-webui service to trusted IPs only.
iptables -A INPUT -p tcp --dport [lollms-port] -s [trusted-ip] -j ACCEPT
iptables -A INPUT -p tcp --dport [lollms-port] -j DROP
🧯 If You Can't Patch
- Implement strict input validation and sanitization for the xtts_base_url parameter
- Run the application with minimal privileges using a non-root service account
🔍 How to Verify
Check if Vulnerable:
Check if version is <=9.5 and examine lollms_xtts.py for unsanitized subprocess.Popen calls with f-strings containing xtts_base_url.Check Version:
Check the version in the application interface or examine the repository commit history.Verify Fix Applied:
Verify the commit 41dbb1b3f2e78ea276e5269544e50514252c0c25 is present and that xtts_base_url input is properly sanitized before command execution.📡 Detection & Monitoring
Log Indicators:
- Unusual subprocess executions from lollms-webui
- Suspicious commands in application logs containing shell metacharacters
- Failed authentication attempts followed by command execution
Network Indicators:
- HTTP requests to lollms-webui with unusual characters in xtts_base_url parameter
- Outbound connections from lollms-webui to unexpected destinations
SIEM Query:
source="lollms-webui" AND (process_execution="subprocess" OR command="*;*" OR command="*|*" OR command="*`*" OR command="*$(*")🔗 References
- https://github.com/parisneo/lollms-webui/commit/41dbb1b3f2e78ea276e5269544e50514252c0c25
- https://huntr.com/bounties/0e2bec70-826e-4c24-8015-31921e23fd12
- https://github.com/parisneo/lollms-webui/commit/41dbb1b3f2e78ea276e5269544e50514252c0c25
- https://huntr.com/bounties/0e2bec70-826e-4c24-8015-31921e23fd12
