# RCE in NASA (0-Day Exploit)

### Description

The psg.gsfc.nasa.gov was very vulnerable to Remote Code Execution. I disclosed this vulnerability in late 2021, and it was patched within a few days

If you set as above, you can analyze the code.

The Remote Code Execution vulnerability occurred in the above URL.

When I see the above code, get a value of parameter called wgeo, wephm, watm, whdr, type, mode and I can see that put in each variable.

When I see code below, I can see the above code! In the here, When I see to use a system() function in first “if statement” of “else statement”.

In the here, The important information is values of $wephm and$watm variables are passed as the “argument” values of the system() function. This means that a Remote Code Execution attack can be performed by manipulating the variable.

But, I can’t see the result value of system() function because it execute on the server.

Yeah~ They’re using the apache server. So I decided to create a file containing the return value of the shell command in the apache default path.

Additionally, before we exploit the above vulnerability, we should know one. If we send a request using the POST method, Server get the value of the file parameter and parse it into a file.

So, at first I passed the data containing random value to the file parameter, but it doesn’t seem to work. It seemed like I had to put the data the parser needed. So I decided to look for a sample file on the NASA site.

I found this, The psg_cfg.txt file can be downloaded from the above URL.

The value of psg_cfg.txt file are as above. I made some modifications to the file because the values are very long.

The final poc is as above.

Execute the PoC code and I saw Remote Code Execution happen!

This was a very interesting and amazing! It was a good analysis and experience for me 😉 Thanks for help from @PewGrand, I learn a lot thanks to you!

And Next Day, When I woke up from sleep and checked the vulnerability, it was patched! But they didn’t contact me. So I found out on Twitter that NASA is not responding to the vulnerability. So, if someone just finds it, it is to report it for the purpose of public interest. 😢

This issue was fixed that add substr() function. So I thought I try bypass this. But I decided not to do after to see the patch code. this is impossible to bypass.

### Reporting Timeline

• 2021-11-22 13h 03m : Reported this issue via the soc@nasa.gov.
• 2021-11-23 ??h ??m : Patched this issue
• 2022-02-14 ??h ??m : Released a docker file