The MultiversX Play API, accessible at https://play-api.multiversx.com/ and developed using NestJs, functions as a bridge for the browser-based IDE (https://play.elrond.com/). This API facilitates the compilation and deployment of MultiversX smart contracts directly from the browser, thus enabling the creation and management of these contracts within the browser-based IDE itself.
https://play-api.multiversx.com/
https://devnet-play-api.multiversx.com
https://testnet-play-api.multiversx.com
[CWE-78] - Unauthenticated Remote code execution (RCE).
An unauthenticated, remote OS Command Injection vulnerability (CWE-78) was discovered in the MultiversX Play API. This vulnerability arises from an unsafe implementation of the /build
API endpoint, due to inadequate validation of process arguments in the POST request made to https://play-api.multiversx.com/build
. A successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system with ubuntu
user privileges.
OS Command Injection - CWE-78.
The /build
endpoint of the MultiversX Play API, reachable at https://play-api.multiversx.com/build
, can be exploited for a Remote Code Execution (RCE) attack. The issue lies in the command
field of the POST request body, which fails to sufficiently validate and sanitize its input.
As a result, arbitrary OS commands can be injected and subsequently executed on the underlying server.
For instance, the following curl command demonstrates an attack that leverages this vulnerability to display the contents of the /etc/passwd
file:
Payload
curl -X 'POST' \
'https://play-api.multiversx.com/build' \
-H 'accept: application/json' \
-H 'Content-Type: application/json' \
-d '{
"command": "cat /etc/passwd `cat /etc/passwd`",
"content": {}
}'
In this example, the command cat /etc/passwd
is injected into the command
field of the POST request body twice, leading to a situation where the command is executed and its output returned in the response from the server.
This means that an attacker could exploit this vulnerability to execute arbitrary commands with the permissions of the ubuntu
user on the server, representing a serious security threat.
We could also exploit this vulnerability to create a reverse shell and potentially pivote into other node
In addition to using this vulnerability to display the contents of server files, an attacker could also exploit it to create a reverse shell, giving them interactive access to the server.
For instance, the following payload would create a reverse shell that connects back to an attacker-controlled server:
This will give us interactive access to the server with the permissions of the `ubuntu` user.
Furthermore, having control over a server within a network could also enable the attacker to carry out lateral movement to other systems. This could lead to a broader network compromise, especially if the compromised server has credentials or other sensitive data that could be used to authenticate to other systems.
command
field and disallow special characters that could be used to chain commands.(`)
, semicolons (;)
, and pipe symbols (|)
should be escaped or removed.https://play-api.multiversx.com/#/build/BuildController_build
https://devnet-play-api.multiversx.com/#/build/BuildController_build
https://testnet-play-api.multiversx.com/#/build/BuildController_build
https://neroteam.com/blog/multiversx-wallet-exploit