CVE-2024-29224

Vulnerability

An OS command injection vulnerability exists in GoCast version 1.1.3 within the natRule function in system.go. The function constructs an iptables command using the protocol, lport, and dport values extracted from the NAT string without proper sanitization. This injection can be triggered via the HTTP API (enabled by default with no authentication), through the configuration file, or via Consul integration [1].

Exploitation

An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the GoCast HTTP API. The request must include a malicious NAT parameter containing shell metacharacters in any of the three fields (protocol, lport, or dport). No authentication is required, and the API is enabled by default in the configuration file [1].

Impact

Successful exploitation allows an attacker to execute arbitrary operating system commands with the privileges of the GoCast process (typically root). This leads to full compromise of confidentiality, integrity, and availability. The CVSSv3 score is 9.8 (Critical) [1].

Mitigation

As of the advisory publication, no patched version of GoCast has been released. Mitigations include disabling the HTTP API or placing it behind a proxy with authentication, disabling Consul integration if not required, and ensuring the configuration file has restrictive permissions (e.g., only readable by root and the GoCast user) [1].