<p>The Commotion node web interface allows anonymous (unauthenticated)<br>
users of the node to add local application URLs using Application<br>
Portal. Parameters passed to this form are moderately sanitized<br>
against XSS attacks. Some of the parameters (ipaddr and port) are then<br>
used to execute OS command checking if the submitted app is available<br>
using luci.sys.exec:</p>

<p><a href="https://github.com/opentechinstitute/commotion-apps/blob/29f28511ca48cfdb208096c5e2426e06312689e2/lua/luci/controller/commotion/apps_controller.lua#L320-L340">https://github.com/opentechinstitute/commotion-apps/blob/29f28511ca48cfdb208096c5e2426e06312689e2/lua/luci/controller/commotion/apps_controller.lua#L320-L340</a></p>

<p>If URL was submitted instead of IP address (that is, if sent value<br>
does not match IP address syntax), protocol part of ipaddr value is<br>
removed and the value is truncated on first : or / character (to<br>
remove port/path). Before that though, initial sanitization routine<br>
encodes the following characters: <>&\r\n” with html_encode helper<br>
function:</p>

<p><a href="https://github.com/opentechinstitute/commotion-apps/blob/29f28511ca48cfdb208096c5e2426e06312689e2/lua/luci/controller/commotion/apps_controller.lua#L292-L299">https://github.com/opentechinstitute/commotion-apps/blob/29f28511ca48cfdb208096c5e2426e06312689e2/lua/luci/controller/commotion/apps_controller.lua#L292-L299</a></p>

<p><a href="https://github.com/opentechinstitute/luci-commotion/blob/9acaeb04fe337da6b4059096a74eae7807182994/luasrc/commotion_helpers.lua">https://github.com/opentechinstitute/luci-commotion/blob/9acaeb04fe337da6b4059096a74eae7807182994/luasrc/commotion_helpers.lua</a></p>

<p>Such moderately transformed value is being passed to OS command<br>
execution routine. By manipulating ipaddr parameter attacker can<br>
execute arbitrary OS commands.</p>

<p>No CSRF tokens are needed to submit such a request. Users of the<br>
commotion node could execute arbitrary OS commands with root<br>
privileges on the device unknowingly just by visiting a website with<br>
prepared payload.</p>

<p>Further investigation shows that the similar vulnerability was already<br>
reported as fixed - <a href="https://code.commotionwireless.net/issues/548">https://code.commotionwireless.net/issues/548</a>.<br>
However, as demonstrated, new bypasses are still possible, and it’s<br>
recommended to perform the strict input validation (e.g. allowing only<br>
alphanumeric characters plus a chosen known-safe characters, depending<br>
on the context).</p>

<p>Originally reported as WRT-01-001</p>

<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br>Reply to this email directly or <a href='https://github.com/opentechinstitute/commotion-apps/issues/10'>view it on GitHub</a>.<img src='https://github.com/notifications/beacon/HSS0tS4nfORw_XnPQF8f0R9-ISaFJ03XHVPP8fW6oLMdXZG-npfZi1d5LOZ59Vou.gif' height='1' width='1'></p><img src="http://sgmail.github.com/wf/open?upn=uoQOw53Jnd2odJf4vBwXdWVdsaw-2BPa0VRjcdx3LMVfCaj-2FDfIu-2BXjIHqnVQoaQniaV2JIDx47aEGvuVXp8szAT90uarSSDeCc-2FGuxJaMzfxYqXjytd0hfZLgDSDz9a8t7xmr7kayj3PlfWRD95N9x4gLNTmZ0DLuBfL-2Fumols4HT5kQw5Nr-2F7wSGD-2B-2F00x-2FLfRSWYb-2FtPZ-2BUC-2FvUUbJRJQTZFgf1AvBBB7bROSW1MZM-3D" alt="" width="1" height="1" border="0" style="height:1px !important;width:1px !important;border-width:0 !important;margin-top:0 !important;margin-bottom:0 !important;margin-right:0 !important;margin-left:0 !important;padding-top:0 !important;padding-bottom:0 !important;padding-right:0 !important;padding-left:0 !important;"/>