O2OA NodeAgent Unauthenticated RCE via Weak Auth

[Security] RCE in NodeAgent due to a fixed-prefix weak authentication mechanism (o2oa <= v10.0) #194 Vulnerability Overview O2OA exposes an unauthenticated HTTP endpoint that returns the RSA public key used by the NodeAgent control channel. NodeAgent subsequently treats any credential that decrypts to a string starting with the fixed prefix as authenticated, without verifying signatures, nonces, timestamps, or any server-side secrets. When NodeAgent is reachable on the default TCP port 20019, an unauthenticated attacker can forge valid credentials using the public key, invoke the command to overwrite startup scripts such as or , and then invoke . During the restart process, the tampered startup script is executed, resulting in unauthenticated remote code execution. Root Cause: Failure of the trust boundary between authentication and control components. 1. The authentication module returns the current RSA public key to unauthenticated callers. 2. NodeAgent accepts any credential that decrypts to a string starting with . 3. The operation writes attacker-controlled bytes directly to paths under the server's base directory. 4. NodeAgent accepts requests and queues them for execution. 5. The command scheduler includes as an accepted command, which executes startup scripts from disk upon restart. Impact Scope An unauthenticated attacker who has access to the HTTP service and the NodeAgent port can execute arbitrary operating system commands with the privileges of the O2OA service account. This can lead to the complete compromise of the application server. Actual consequences include the installation of persistent backdoors, theft of configuration secrets and database credentials, tampering with application binaries and startup scripts, data destruction, and lateral movement to adjacent systems reachable from the host. Remediation 1. Replace the current NodeAgent trust model with genuine request authentication. A valid design should bind each request to a server-side secret or cryptographic signature (including nonces and timestamps), rather than accepting encryption based on a fixed prefix. 2. Restrict NodeAgent exposure so that it is not reachable from untrusted networks. If this functionality is indeed required, bind it to localhost or a controlled management network, and implement additional network controls around port 20019. 3. Restrict to a strict whitelist of safe paths, and explicitly prevent writing to startup scripts, configuration files, program binaries, and other execution-sensitive locations after path normalization. 4. Remove or strictly restrict remote execution operation commands such as , especially when these commands may lead to the execution of files previously written by the same remote channel. POC Code

Goal Reached Thanks to every supporter — we hit 100%!

O2OA NodeAgent Unauthenticated RCE via Weak Auth

More from this source