CVE-2022-31137 Scanner
CVE-2022-31137 Scanner - Remote Code Execution in Roxy-WI
Short Info
Level
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
8 days 8 hours
Scan only one
Domain, Subdomain, IPv4
Toolbox
-
Roxy-WI is an open-source web interface designed for managing HAProxy, Nginx, and Keepalived servers. Widely used by DevOps and system administrators, Roxy-WI enables configuration, statistics monitoring, and server management via a centralized GUI. Roxy-WI is often hosted in internal environments and trusted zones, but misconfigurations or outdated versions expose it to significant risks. Its core functions interact heavily with the system shell, making robust input validation essential to maintaining system integrity.
CVE-2022-31137 highlights a critical remote code execution vulnerability present in versions prior to 6.1.1.0. The flaw resides in the `subprocess_execute` function found within `/app/options.py`. This function does not sanitize user input correctly, allowing remote attackers to inject and execute arbitrary system commands. The vulnerable endpoint, `/app/options.py`, can be reached via a crafted POST request. Because the input is passed directly to the system shell, attackers can exploit the flaw by injecting shell metacharacters or commands in request parameters like `ipbackend` or `backend_server`.
Technical analysis shows that successful exploitation of the flaw results in the command's output being reflected in the HTTP response. For example, a POST request embedding `";cat /etc/passwd##` reveals the contents of the server’s password file in the response, demonstrating arbitrary command execution. Matchers confirm success when patterns like `root:.*:0:0:` are detected in the response body and the HTTP status is 200.
Exploitation enables complete system compromise, data exfiltration, installation of backdoors, and lateral movement. Given Roxy-WI’s privileged role in managing load balancers and networking components, a successful attack could disrupt service availability and compromise infrastructure configurations. The vulnerability is remotely exploitable without authentication, magnifying its severity and requiring immediate attention from system administrators.
REFERENCES