Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unauthorized remote code execution as root #250

Closed
Pyriphlegethon opened this issue Nov 10, 2018 · 1 comment
Closed

Unauthorized remote code execution as root #250

Pyriphlegethon opened this issue Nov 10, 2018 · 1 comment

Comments

@Pyriphlegethon
Copy link

FruityWifi contains two security vulnerabilities that allow an unauthorized attacker to take complete control over the system.

The first vulnerability has already been released by another researcher and was assigned CVE-2018-17317:

FruityWifi (aka PatatasFritas/PatataWifi) 2.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the io_mode, ap_mode, io_action, io_in_iface, io_in_set, io_in_ip, io_in_mask, io_in_gw, io_out_iface, io_out_set, io_out_mask, io_out_gw, iface, or domain parameter to /www/script/config_iface.php, or the newSSID, hostapd_secure, hostapd_wpa_passphrase, or supplicant_ssid parameter to /www/page_config.php.

Now to exploit this vulnerability an attacker needs a valid session, but it turns out that command injection is also possible in a file that lacks any access control.

The file www/modules/save.php is accessible to anyone (erroneously?) and the validation attempt in regex_standard can be bypassed. So a POST request to modules/save.php with a mod_name value of a; netcat -lp 1234 < /etc/passwd; echo will execute netcat -lp 1234 < /etc/passwd.

Even if the regex used in regex_standard were correct it would still be to lenient (because it allows - and spaces).

xtr4nge added a commit that referenced this issue Jan 6, 2019
@xtr4nge
Copy link
Owner

xtr4nge commented Jan 6, 2019

Hi Pyriphlegethon,
Thanks for reporting the issue. I added the session validation into save.php
Please note that PatatasFritas is an old Fork of FruityWiFi (FruityWiFi is the original project) and it was forked before adding session validation into FruityWiFi.

regards

@xtr4nge xtr4nge closed this as completed Jan 6, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants