Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.3.2, the GET /ssh/file_manager/ssh/resolvePath endpoint in Termix is vulnerable to OS command injection. The endpoint uses double-quote escaping for shell command construction, which does not prevent $(...) and backtick command substitution. Any authenticated user with an active File Manager SSH session can execute arbitrary commands on the connected remote host. Version 2.3.2 patches the issue.
The resolvePath endpoint constructs system shell commands using escaping based solely on double quotes. However, this mechanism does not block command substitution using the $(...) syntax or backticks. An attacker can place an appropriately crafted expression in the request parameter, which will be executed by the shell on the remote host served by Termix.
An authenticated attacker can execute arbitrary system commands on a remote host connected via SSH session, thereby gaining full control over that system, including access to sensitive data, ability to modify files, and privilege escalation.
Termix should be updated to version 2.3.2, which contains a patch eliminating the described vulnerability. The patch is available in the vendor's GitHub repository under the release-2.3.2-tag tag.
Termix versions prior to 2.3.2
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HTermix
APPTermix2.1.0 – 2.3.2 (bez)
Related vulnerabilities
Command injection w Termix File Manager via parametr path (GET resolvePath)
Broken Access Control w Termix — nieautoryzowany dostęp do sesji File Manager
Command injection w Termix – endpoint SSH tunnel bez sanityzacji danych wejściowych
Termix: nieautoryzowany dostęp do danych SSH przez błędne wykrywanie IP
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. ...