Description
reconFTW is a tool designed to perform automated recon on a target domain by running the best set of tools to perform scanning and finding out vulnerabilities. A vulnerability has been identified in reconftw where inadequate validation of retrieved subdomains may lead to a Remote Code Execution (RCE) attack. An attacker can exploit this vulnerability by crafting a malicious CSP entry on it's own domain. Successful exploitation can lead to the execution of arbitrary code within the context of the application, potentially compromising the system. This issue has been addressed in version 2.7.1.1 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
EPSS Score:
1%
Comprehensive Technical Analysis of EUVD-2023-50376 (CVE-2023-46117)
Vulnerability: Remote Code Execution (RCE) in reconFTW due to Inadequate Subdomain Validation
1. Vulnerability Assessment & Severity Evaluation
Vulnerability Overview
EUVD-2023-50376 (CVE-2023-46117) is a critical Remote Code Execution (RCE) vulnerability in reconFTW, an automated reconnaissance tool used for domain scanning and vulnerability discovery. The flaw stems from insufficient validation of retrieved subdomains, allowing an attacker to manipulate Content Security Policy (CSP) headers on a malicious domain to execute arbitrary code on the victim’s system.
CVSS v3.0 Severity Breakdown
| Metric | Value | Explanation |
|---|---|---|
| Attack Vector (AV) | Network (N) | Exploitable remotely over the internet. |
| Attack Complexity (AC) | Low (L) | No special conditions required; straightforward exploitation. |
| Privileges Required (PR) | None (N) | No authentication or elevated privileges needed. |
| User Interaction (UI) | Required (R) | Victim must execute reconFTW against a malicious domain. |
| Scope (S) | Changed (C) | Impact extends beyond the vulnerable component (reconFTW) to the underlying system. |
| Confidentiality (C) | High (H) | Full system compromise possible. |
| Integrity (I) | High (H) | Arbitrary code execution allows data manipulation. |
| Availability (A) | High (H) | System may be rendered inoperable. |
| Base Score | 9.6 (Critical) | High-impact RCE with low attack complexity. |
Severity Justification
- Critical (9.6) due to:
- Unauthenticated RCE (no credentials required).
- Low attack complexity (exploitable via crafted CSP headers).
- High impact (full system compromise possible).
- Changed scope (impact extends beyond the application).
2. Potential Attack Vectors & Exploitation Methods
Exploitation Mechanism
-
Attacker-Controlled Domain Setup
- The attacker registers a domain (e.g.,
malicious.example) and configures a malicious CSP header (e.g.,script-src 'unsafe-eval' 'self' attacker-controlled-server.com). - The CSP header includes a remote script source (e.g., a JavaScript payload hosted on the attacker’s server).
- The attacker registers a domain (e.g.,
-
Victim Interaction
- The victim runs reconFTW against the attacker’s domain (
reconftw -d malicious.example). - reconFTW performs subdomain enumeration and retrieves the malicious CSP header.
- The victim runs reconFTW against the attacker’s domain (
-
Inadequate Validation & RCE
- Due to lack of proper sanitization, reconFTW processes the CSP header and executes the attacker’s script in the context of the application.
- The script can then download and execute arbitrary payloads (e.g., reverse shell, malware, or data exfiltration tools).
Exploitation Requirements
- Victim must run reconFTW against a domain controlled by the attacker.
- No prior authentication is required.
- User interaction is minimal (only requires running the tool).
Proof-of-Concept (PoC) Scenario
- Attacker sets up a domain with:
Content-Security-Policy: script-src 'unsafe-eval' 'self' https://attacker.com/malicious.js - Victim executes:
reconftw -d attacker-controlled-domain.com - reconFTW processes the CSP header, leading to arbitrary JavaScript execution.
- The malicious script (
malicious.js) executes a reverse shell or payload dropper.
3. Affected Systems & Software Versions
Vulnerable Software
- Product: reconFTW (Automated Reconnaissance Tool)
- Vendor: six2dez
- Affected Versions: All versions prior to 2.7.1.1
- Fixed Version: 2.7.1.1 (released to address the vulnerability)
Impacted Use Cases
- Penetration Testers & Red Teams using reconFTW for automated reconnaissance.
- Bug Bounty Hunters leveraging reconFTW for subdomain enumeration.
- Security Researchers conducting vulnerability assessments.
Non-Affected Systems
- Systems where reconFTW is not installed.
- Systems running reconFTW v2.7.1.1 or later.
4. Recommended Mitigation Strategies
Primary Mitigation: Upgrade Immediately
- Upgrade to reconFTW v2.7.1.1 (or later) to resolve the vulnerability.
git clone https://github.com/six2dez/reconftw.git cd reconftw git checkout v2.7.1.1 ./install.sh
Secondary Mitigations (If Upgrade is Not Possible)
-
Input Validation & Sanitization
- Modify reconFTW to validate and sanitize CSP headers before processing.
- Implement allowlisting for trusted domains.
-
Network-Level Protections
- Restrict outbound connections to untrusted domains.
- Use firewall rules to block connections to known malicious domains.
-
Runtime Protections
- Run reconFTW in a sandboxed environment (e.g., Docker, Firejail).
- Use AppArmor/SELinux to restrict process execution.
-
Monitoring & Detection
- Log and alert on suspicious CSP header retrievals.
- Monitor for unexpected child processes spawned by reconFTW.
Workarounds (No Official Fix Available)
- Avoid scanning untrusted domains (manual review before execution).
- Use alternative tools (e.g., Amass, Subfinder) for subdomain enumeration.
5. Impact on the European Cybersecurity Landscape
Threat to European Organizations
- High Risk for Security Teams: reconFTW is widely used by European penetration testers, CERTs, and bug bounty hunters, making them prime targets.
- Supply Chain Risk: If reconFTW is integrated into automated security pipelines, exploitation could lead to lateral movement within internal networks.
- Regulatory Compliance Concerns:
- GDPR (Art. 32): Failure to patch may result in non-compliance if exploitation leads to data breaches.
- NIS2 Directive: Critical infrastructure operators must ensure secure tooling to prevent RCE attacks.
Geopolitical & Threat Actor Implications
- State-Sponsored Actors: Could exploit this to compromise security researchers conducting investigations.
- Cybercriminals: May use this to deploy ransomware or spyware on vulnerable systems.
- APT Groups: Could leverage this for initial access in targeted attacks.
ENISA & EU Cybersecurity Agency (ECSO) Considerations
- ENISA Threat Landscape: This vulnerability aligns with increased RCE attacks observed in 2023-2024.
- EU Cyber Resilience Act (CRA): Highlights the need for secure-by-design tools in cybersecurity workflows.
- CSIRT Network: European CERTs should disseminate advisories to national security teams.
6. Technical Details for Security Professionals
Root Cause Analysis
- Insufficient Input Validation: reconFTW blindly trusts CSP headers from retrieved subdomains without sanitization.
- Code Execution Path:
- Subdomain enumeration retrieves a malicious CSP header.
- The CSP header includes a remote script source (
script-srcdirective). - reconFTW processes the CSP header, loading and executing the attacker’s script.
- The script spawns a reverse shell or downloads additional payloads.
Patch Analysis (GitHub Commit e639de356c0880fe5fe01a32de9d0c58afb5f086)
- Key Fixes:
- Added CSP header validation to reject unsafe directives (
unsafe-eval,unsafe-inline). - Implemented allowlisting for script sources.
- Improved error handling to prevent unintended script execution.
- Added CSP header validation to reject unsafe directives (
Detection & Forensics
-
Indicators of Compromise (IoCs):
- Network: Connections to attacker-controlled domains (
attacker.com). - Process: Unexpected child processes (e.g.,
bash,python,nc). - Filesystem: Unauthorized script downloads (
/tmp/malicious.sh).
- Network: Connections to attacker-controlled domains (
-
Log Analysis:
- Check reconFTW logs for unusual CSP headers.
- Monitor process execution logs for unexpected commands.
Exploitation Detection Rules (Sigma/YARA/Snort)
Sigma Rule (Suspicious reconFTW Child Process)
title: Suspicious reconFTW Child Process (Potential RCE)
id: 1a2b3c4d-5e6f-7g8h-9i0j-k1l2m3n4o5p6
status: experimental
description: Detects reconFTW spawning unexpected processes (e.g., reverse shells)
references:
- https://github.com/six2dez/reconftw/security/advisories/GHSA-fxwr-vr9x-wvjp
author: EUVD Security Team
date: 2023/10/20
logsource:
category: process_creation
product: linux
detection:
selection:
ParentImage|endswith: '/reconftw'
Image|endswith:
- '/bash'
- '/sh'
- '/python'
- '/nc'
- '/curl'
- '/wget'
condition: selection
falsepositives:
- Legitimate reconFTW usage with custom scripts
level: high
Snort Rule (Malicious CSP Header Detection)
alert tcp any any -> any 80 (msg:"Potential RCE via Malicious CSP Header (CVE-2023-46117)";
flow:to_server,established; content:"Content-Security-Policy|3A|"; nocase;
pcre:"/script-src\s+['\"]unsafe-(eval|inline)['\"]/i";
reference:cve,2023-46117; classtype:attempted-admin; sid:1000001; rev:1;)
Conclusion & Recommendations
Key Takeaways
- Critical RCE vulnerability in reconFTW (CVE-2023-46117) with a CVSS 9.6 score.
- Exploitable via malicious CSP headers with minimal user interaction.
- High risk for European security teams due to widespread reconFTW usage.
Immediate Actions
- Upgrade reconFTW to v2.7.1.1 (or later).
- Audit recent scans for exposure to untrusted domains.
- Implement detection rules to monitor for exploitation attempts.
- Educate security teams on the risks of automated reconnaissance tools.
Long-Term Recommendations
- Adopt secure-by-default tools in cybersecurity workflows.
- Enhance input validation in open-source security tools.
- Collaborate with ENISA to improve vulnerability disclosure processes.
References:
References
Affected Products
reconftw
Version: < 2.7.1.1
Vendors
six2dez