Skip to content

Instantly share code, notes, and snippets.

@aydinnyunus

aydinnyunus/gist:42ab4df2fd363d3566b97d09e09fcac6

Last active March 27, 2025 14:03
Show Gist options
  • Save aydinnyunus/42ab4df2fd363d3566b97d09e09fcac6 to your computer and use it in GitHub Desktop.
Save aydinnyunus/42ab4df2fd363d3566b97d09e09fcac6 to your computer and use it in GitHub Desktop.
Download ZIP
Business Logic to Command Injection
Raw
gistfile1.md

1. Overview

A security vulnerability has been discovered in Akaunting, an open-source online accounting software. The issue allows an attacker to install paid applications for free, leading to further exploitation, including remote code execution (RCE) and local privilege escalation (LPE). This report outlines the details of the vulnerability, its impact, and potential mitigation steps.

2. Description of the Vulnerability

2.1 Business Logic Bug in Application Purchase System

Akaunting offers an App Store where users can purchase and install various applications to extend functionality. A flaw in the request processing allows an attacker to:

  • Modify request parameters (name, version, path) to install paid applications for free.
  • Obtain the required version details from app descriptions.
  • Successfully install premium applications without paying.

Steps to Reproduce:

  1. Identify a free app and capture the request during installation.
  2. Modify the app name, version, and path to correspond to a paid app.
  3. Send the modified request.
  4. The paid app installs successfully without payment.

2.2 Remote Code Execution (RCE) via Command Injection

By manipulating the alias field in the app installation request, it is possible to inject arbitrary commands, leading to RCE.

image

Steps to Exploit:

  1. Change the alias value to a random string.
  2. Observe the error response and analyze potential command injection points.
  3. Utilize a reverse shell payload generated from https://www.revshells.com/.
  4. Successfully gain a reverse shell.

Once RCE is achieved, the attacker can:

  • Access Akaunting’s .env file containing sensitive API keys, AWS credentials, and database access.
  • Extract CloudWatch logs and backups.
  • Attempt further privilege escalation.

2.3 Local Privilege Escalation (LPE)

After obtaining a shell, privilege escalation is possible using CVE-2021-4034 (Polkit vulnerability).

Exploit Used: https://haxx.in/files/blasty-vs-pkexec.c

Steps to Exploit:

  1. Identify the system running a vulnerable version of pkexec.
  2. Compile and execute the exploit.
  3. Gain root access to the system.

This allows full control over the server, enabling further malicious activities.

3. Impact

  • Unauthorized installation of paid applications.
  • Full compromise of the Akaunting server.
  • Exposure of API keys and sensitive credentials.
  • Potential abuse of AWS services linked to Akaunting.
  • Local privilege escalation leading to complete system takeover.

4. Recommendations & Mitigations

4.1 Business Logic Fixes

  • Implement proper server-side validation of app purchases.
  • Use signed requests to prevent unauthorized modifications.
  • Validate version details against a trusted database.

4.2 RCE Mitigation

  • Sanitize and validate all input fields, especially alias and path parameters.
  • Use allowlists for permitted values in app installation requests.
  • Restrict application installation permissions to prevent arbitrary command execution.

4.3 LPE Prevention

  • Patch all Akaunting instances with the latest security updates.
  • Disable pkexec if not needed.
  • Apply recommended fixes for CVE-2021-4034.

4.4 Additional Security Measures

  • Restrict access to sensitive files such as .env.
  • Implement logging and monitoring for unusual activities.
  • Enforce strict access controls and role-based permissions.

5. Proof of Concept (PoC) Code

A working exploit has been demonstrated and documented in the following GitHub repository: https://github.com/aydinnyunus/akaunting-authenticated-rce

References:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment