In my initial look at Inedo BuildMaster, one of the more interesting capabilities I came across was event listeners. Event listeners allow users to have the BuildMaster server perform certain tasks when certain types of events occur within BuildMaster. It looks like this feature could be very useful to server administrators looking to integrate BuildMaster with external tools, but that’s not why it caught my eye. One of the types of event listeners available is “Execute Command Line”, which allows users to execute system commands on the BuildMaster server. The prevalence of this type of functionality in various CI/CD tools is a topic for another post, but in short, seeing this type of functionality worries me because it guarantees that there is a path to RCE either through application vulnerabilities or gaining access to a privileged user account.
Given how sensitive command line event listeners are, I decided to do some authorization testing. When testing this functionality with multiple users, I noticed that the option to create command line event listeners was unavailable in the UI for low privileged users, but it was available for privileged users. My testing of BuildMaster 5.8.1 indicated that the limitations enforced through the UI could be bypassed by low privileged users by directly navigating to certain URLs.
Exploitation
I plan to write a metasploit module for this vulnerability at some point, but it was also easy to exploit by signing in to BuildMaster and navigating to
/event/listeners/edit?eventListenerTypeName=Inedo.BuildMaster.Extensibility.EventListeners.General.CommandLineEventListener%2CBuildMasterExtensions
After filling out the form and saving, trigger your event listener by performing the type of action you configured.
Analysis
The root cause of this vulnerability is that instead of implementing authorization checks on the server when saving event listeners, the UI elements related to command line event listeners were simply hidden. While it is good practice to not clutter the UI of your application with actions the current user cannot perform, the UI is not the place to implement authorization. Instead, authorization should be implemented outside of the user’s control, which for web applications means on the server.
Mitigation
Updating to BuildMaster 5.8.2+ will prevent attackers from exploiting this vulnerability.