## **1. Overview** A security vulnerability has been discovered in Akaunting, an open-source online accounting software. The issue allows an attacker to install paid applications for free, leading to further exploitation, including remote code execution (RCE) and local privilege escalation (LPE). This report outlines the details of the vulnerability, its impact, and potential mitigation steps. --- ## **2. Description of the Vulnerability** ### **2.1 Business Logic Bug in Application Purchase System** Akaunting offers an App Store where users can purchase and install various applications to extend functionality. A flaw in the request processing allows an attacker to: - Modify request parameters (name, version, path) to install paid applications for free. - Obtain the required version details from app descriptions. - Successfully install premium applications without paying. **Steps to Reproduce:** 1. Identify a free app and capture the request during installation. 2. Modify the app name, version, and path to correspond to a paid app. 3. Send the modified request. 4. The paid app installs successfully without payment. --- ### **2.2 Remote Code Execution (RCE) via Command Injection** By manipulating the alias field in the app installation request, it is possible to inject arbitrary commands, leading to RCE. ![image](https://gist.github.com/user-attachments/assets/01b466f5-d735-463d-80db-772b52dfcfe3) **Steps to Exploit:** 1. Change the alias value to a random string. 2. Observe the error response and analyze potential command injection points. 3. Utilize a reverse shell payload generated from [https://www.revshells.com/](https://www.revshells.com/). 4. Successfully gain a reverse shell. Once RCE is achieved, the attacker can: - Access Akaunting’s `.env` file containing sensitive API keys, AWS credentials, and database access. - Extract CloudWatch logs and backups. - Attempt further privilege escalation. --- ### **2.3 Local Privilege Escalation (LPE)** After obtaining a shell, privilege escalation is possible using CVE-2021-4034 (Polkit vulnerability). **Exploit Used:** [https://haxx.in/files/blasty-vs-pkexec.c](https://haxx.in/files/blasty-vs-pkexec.c) **Steps to Exploit:** 1. Identify the system running a vulnerable version of `pkexec`. 2. Compile and execute the exploit. 3. Gain root access to the system. This allows full control over the server, enabling further malicious activities. --- ## **3. Impact** - Unauthorized installation of paid applications. - Full compromise of the Akaunting server. - Exposure of API keys and sensitive credentials. - Potential abuse of AWS services linked to Akaunting. - Local privilege escalation leading to complete system takeover. --- ## **4. Recommendations & Mitigations** ### **4.1 Business Logic Fixes** - Implement proper server-side validation of app purchases. - Use signed requests to prevent unauthorized modifications. - Validate version details against a trusted database. ### **4.2 RCE Mitigation** - Sanitize and validate all input fields, especially alias and path parameters. - Use allowlists for permitted values in app installation requests. - Restrict application installation permissions to prevent arbitrary command execution. ### **4.3 LPE Prevention** - Patch all Akaunting instances with the latest security updates. - Disable `pkexec` if not needed. - Apply recommended fixes for CVE-2021-4034. ### **4.4 Additional Security Measures** - Restrict access to sensitive files such as `.env`. - Implement logging and monitoring for unusual activities. - Enforce strict access controls and role-based permissions. --- ## **5. Proof of Concept (PoC) Code** A working exploit has been demonstrated and documented in the following GitHub repository: [https://github.com/aydinnyunus/akaunting-authenticated-rce](https://github.com/aydinnyunus/akaunting-authenticated-rce) References: - https://x.com/akaunting/status/1493271125073309700 - https://github.com/akaunting/akaunting/releases/tag/2.1.31