CVE-2023-30261 Security advisory

Multiple command injection vulnerabilities exist in openWB version 1.7 and older. Each allows an unauthenticated user to execute arbitrary OS commands on the host. In the default configuration of openWB, commands can be executed with root privileges.

Affected products

• Introduced in openWB version 1.6 (commit b5d545c)
• Present in version 1.7 (commit 5c44516)

Steps to reproduce

1. Visit http://target/openWB/modules/soc_eq/callback_lp.php?code=1&state=;uptime>/tmp/hax;echo
2. Observe that the file /tmp/hax has been created on the server, containing the output of uptime.

Cause

Unsanitized user input is passed to system() at callback_lp.php:4, callback_lp1.php:4 and callback_lp2.php:4.

Impact

An unauthorized user is able to execute arbitrary OS commands.

In the default openWB configuration, the www-data user is given unconstrained sudo access. For this reason, any command can trivially be executed with root privileges.

Proposed Mitigation

Sanitize the user input using a function such as escapeshellargs() before passing it to system().

History

• 2023-06-26: CVE-2023-30261 assigned
• 2023-03-30: Fix committed
• 2023-03-29: Initial report filed