Unauthorized remote code execution as root

[Pyriphlegethon]

FruityWifi contains two security vulnerabilities that allow an unauthorized attacker to take complete control over the system.

The first vulnerability has already been released by another researcher and was assigned CVE-2018-17317:

FruityWifi (aka PatatasFritas/PatataWifi) 2.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the io_mode, ap_mode, io_action, io_in_iface, io_in_set, io_in_ip, io_in_mask, io_in_gw, io_out_iface, io_out_set, io_out_mask, io_out_gw, iface, or domain parameter to /www/script/config_iface.php, or the newSSID, hostapd_secure, hostapd_wpa_passphrase, or supplicant_ssid parameter to /www/page_config.php.

Now to exploit this vulnerability an attacker needs a valid session, but it turns out that command injection is also possible in a file that lacks any access control.

The file www/modules/save.php is accessible to anyone (erroneously?) and the validation attempt in regex_standard can be bypassed. So a POST request to modules/save.php with a mod_name value of a; netcat -lp 1234 < /etc/passwd; echo will execute netcat -lp 1234 < /etc/passwd.

Even if the regex used in regex_standard were correct it would still be to lenient (because it allows - and spaces).

[xtr4nge]

Hi Pyriphlegethon, Thanks for reporting the issue. I added the session validation into save.php Please note that PatatasFritas is an old Fork of FruityWiFi (FruityWiFi is the original project) and it was forked before adding session validation into FruityWiFi.

regards