[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Disclosure of CVE-2023-50917: RCE Vulnerability in MajorDoM
From: Balgogan via Fulldisclosure <fulldisclosure () seclists ! org>
Date: 2023-12-18 9:34:54
Message-ID: Ca-3s7JFx8OBtoOXNX4WZOFpGJixYx5cJrCwAAy1tlTJIeGE57cBgo-x4a-7ABQH1Qtrfxm1sILY-85BGOIZWhmh-AkcolOowRQwAgbYPU4= () protonmail ! com
[Download RAW message or body]
**Introduction**
MajorDoMo, a beacon in Russian home automation and particularly favored by Raspberry Pi \
aficionados, has been a trusted name for over a decade. With over 380 stars on its official \
GitHub repository at the time of writing (https://github.com/sergejey/majordomo), its \
popularity is evident. However, lurking within its `thumb.php` module is a severe \
unauthenticated Remote Code Execution (RCE) vulnerability before 0662e5e.
NOTE: this is unrelated to the Majordomo mailing-list manager.
**Disclosure Timeline:**
- October 28, 2023: Initial discovery of the vulnerability (CVE-2023-50917).
- October 29, 2023: Contacted MajorDoMo team detailing the vulnerability.
- November 6, 2023: After no response from MajorDoMo's team for over a week, submitted a CVE \
request to the appropriate CNA.
- November 14, 2023: New attempt to contact the MajorDoMo team. Received a response from the \
team within a few hours. The patch has been applied.
- December 15, 2023: Public disclosure of CVE-2023-50917.
**Technical Background: The Vulnerable Code**
The script `/modules/thumb/thumb.php` is primarily designed for thumbnail generation in \
MajorDoMo. It serves to facilitate the creation of thumbnails from various media sources. But \
within this benign purpose lies a significant vulnerability:
**Key Code Snippets and Analysis:**
1. **URL Decoding:**
PHP code: $url = base64_decode($url);
The script takes a base64 encoded `url` parameter and decodes it. This decoding process is \
pivotal, as it allows attackers to obfuscate their payloads, skirting around simple checks.
2. **Pattern Checks:**
PHP code: if (preg_match('/^rtsp:/is', $url) || preg_match('/\/dev/', $url)) { ... }
The script then checks if the decoded `url` adheres to specific patterns (`rtsp:` or `/dev`). \
This is a rudimentary check to decide whether to process the URL. With the help of base64 \
encoding, it becomes trivial for attackers to bypass this verification.
3. **Direct Command Construction:**
PHP code: if ($_GET['transport']) { $stream_options = '-rtsp_transport ' . $_GET['transport'] . \
' ' . $stream_options; } Here lies the crux of the vulnerability. The `transport` parameter is \
taken directly and embedded within a system command without adequate sanitization. This glaring \
oversight allows for arbitrary command injections. By crafting the `transport` parameter, an \
attacker can introduce and execute arbitrary commands. The subsequent command is executed via \
the `exec` function, which poses a significant security risk.
**The Core Vulnerability**
The vulnerability's essence is the unchecked and unsanitized user input (from the `transport` \
parameter) that gets directly incorporated into a system command. This allows attackers to run \
arbitrary commands on the server, potentially taking full control of the MajorDoMo instance.
**Exploitation Avenues:**
1. **Bypassing URL Validation:**
The script's initial validation checks for patterns such as `rtsp:` or `/dev`. By using base64 \
encoded strings like `cnRzcDovL2EK` (decoding to `rtsp://a`), these checks can be easily \
bypassed.
2. **Command Injection via the `transport` Parameter:**
The `transport` parameter is used directly within a system command. With no sanitization in \
place, this can be exploited for command injections, leading to RCE. For instance, the command \
`||echo; echo $(command_here)` can be used to break out of the intended command and execute any \
arbitrary command.
**Potential Impact**
The severity of this RCE vulnerability is high. Given MajorDoMo's integral role in home \
automation, successful exploitation can result in an attacker compromising physical security \
systems, gaining access to surveillance cameras, or even taking control of other connected IoT \
devices.
**Recommendations for Mitigation**
- Thorough Input Validation: It is essential to rigorously validate all inputs. This can \
prevent malicious payloads from being processed.
- Sanitize Before Execution: Inputs should be sanitized before being incorporated into any \
system commands.
- Limit Direct Command Execution: Prefer using built-in PHP functions or secure APIs over \
direct system command execution.
**Conclusion**
This vulnerability underscores the importance of thorough code reviews and robust input \
validation. Even established software projects like MajorDoMo are not immune to critical \
vulnerabilities. The discovery serves as a reminder of the ever-present need for diligence and \
a proactive approach to security in all software development stages.
Please refer to https://nvd.nist.gov/vuln/detail/CVE-2023-50917
Valentin Lobstein
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic