Nuclei flaw bypasses template signature checks to execute commands

A new vulnerability in the open-source vulnerability scanner Nuclei could potentially allow attackers to bypass signature verification while sneaking malicious code into templates that execute on local systems.

Nuclei is a popular open-source vulnerability scanner created by ProjectDiscovery that scans websites for vulnerabilities and other weaknesses.

The project utilizes a template-based scanning system of over 10,000 YAML templates that scan websites for known vulnerabilities, misconfigurations, exposed configuration files, webshells, and backdoors.

The YAML templates also include a code protocol that can be used to execute commands or scripts locally on a device that extends the functionality of a template.

Each template is "signed" with a digest hash that Nuclei uses to verify that the template has not been modified to include malicious code.

This digest hash is added to the bottom of templates in the form of:

Flaw bypasses Nuclei signature verification

A new Nuclei vulnerability tracked as CVE-2024-43405 was discovered by researchers at Wiz that bypasses Nuclei's signature verification even if a template is modified to include malicious code.

The flaw is caused by a Go regex-based signature verification and how the YAML parser handles line breaks when verifying the signature.

When verifying a signature, Go's verification logic treats \r as part of the same line. However, the YAML parser interprets it as a line break. This mismatch allows attackers to inject malicious content that bypasses verification but is still executed when processed by the YAML parser.

Another issue is how Nuclei handles multiple # digest: signature lines, as the process only checks the first occurrence of # digest: in a template, ignoring any additional ones found later in the template.

This can be exploited by adding additional malicious "# digest:" payloads after the initial valid digest that contain a malicious "code" section, which is then injected and executed when the template is used.

"Armed with the insights about mismatched newline interpretations, we crafted a template that exploits the disparity between Go's regex implementation and the YAML parser," explains Wiz researcher Guy Goldenberg.

"By using \r as a line break, we can include a second # digest: line in the template that evades the signature verification process but gets parsed and executed by the YAML interpreter."

Example of how the different parsers parse a Nuclei template
Source: Wiz

Wiz responsibly disclosed the flaw to ProjectDiscovery on August 14, 2024, and it was fixed in Nuclei v3.3.2 on September 4.

If you are using older versions of Nuclei, it is strongly advised that you update the latest version now that the technical details for this bug have been publicly disclosed.

Goldenberg also recommends that Nuclei be used in a virtual machine or isolated environment to prevent potential exploitation from malicious templates.