[Commotion-admin] [commotion-apps] RCE in add local applications form ‘ipaddr’ parameter (#10)

areynold notifications at github.com
Mon Sep 9 15:17:42 UTC 2013 

The Commotion node web interface allows anonymous (unauthenticated)
users of the node to add local application URLs using Application
Portal. Parameters passed to this form are moderately sanitized
against XSS attacks. Some of the parameters (ipaddr and port) are then
used to execute OS command checking if the submitted app is available
using luci.sys.exec:

https://github.com/opentechinstitute/commotion-apps/blob/29f28511ca48cfdb208096c5e2426e06312689e2/lua/luci/controller/commotion/apps_controller.lua#L320-L340

If URL was submitted instead of IP address (that is, if sent value
does not match IP address syntax), protocol part of ipaddr value is
removed and the value is truncated on first : or / character (to
remove port/path). Before that though, initial sanitization routine
encodes the following characters: <>&\r\n” with html_encode helper
function:

https://github.com/opentechinstitute/commotion-apps/blob/29f28511ca48cfdb208096c5e2426e06312689e2/lua/luci/controller/commotion/apps_controller.lua#L292-L299

https://github.com/opentechinstitute/luci-commotion/blob/9acaeb04fe337da6b4059096a74eae7807182994/luasrc/commotion_helpers.lua

Such moderately transformed value is being passed to OS command
execution routine. By manipulating ipaddr parameter attacker can
execute arbitrary OS commands.

No CSRF tokens are needed to submit such a request. Users of the
commotion node could execute arbitrary OS commands with root
privileges on the device unknowingly just by visiting a website with
prepared payload.

Further investigation shows that the similar vulnerability was already
reported as fixed - https://code.commotionwireless.net/issues/548.
However, as demonstrated, new bypasses are still possible, and it’s
recommended to perform the strict input validation (e.g. allowing only
alphanumeric characters plus a chosen known-safe characters, depending
on the context).

Originally reported as WRT-01-001

---
Reply to this email directly or view it on GitHub:
https://github.com/opentechinstitute/commotion-apps/issues/10
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.chambana.net/pipermail/commotion-admin/attachments/20130909/fc19648e/attachment.html>

More information about the Commotion-admin mailing list