POSTED BY: johntorakis / 02.10.2017

e2openplugin OpenWebif saveConfig remote code execution

CENSUS ID:CENSUS-2017-0001
CVE ID:CVE-2017-9807
Affected Products:e2openplugin OpenWebif (versions 0.2.9-1.2.4)
Class:Improper control of generation of code ('Code Injection') (CWE-94)
Discovered by:John Torakis

OpenWebif is a Web application that is used in IP TVs and media boxes to provide an easy-to-use Web Interface. It is written mostly in Python (Backend) and JavaScript (Frontend). It can be found in DreamBox devices.

A vulnerability was identified in the saveConfig() function of /plugin/controllers/models/config.py. The vulnerability allows Remote Code Execution to the host that runs OpenWebif. It is worth noting that on Dreambox devices OpenWebIf runs under the privileges of the root user.

Details

CENSUS engineers have discovered that changing the service settings via the web interface issues an HTTP GET request to /api/saveconfig with 3 parameters. The parameters are key, value and _. Auditing the saveConfig code that manipulated those parameters, shows that an unsafe eval() call is performed on the path function argument which contains the key HTTP parameter value, that is controlled by the Frontend.


def saveConfig(path, value):
    try:
        cnf = eval(path)
    ...

Directly writing Python code into the key HTTP GET parameter resulted to Python code execution on the Backend. Triggering this command injection vulnerability to gain OS command execution through the Python interpreter can be achieved by an expression such as __import__("os").system("exit 0") (with "exit 0" being the arbitrary OS command).

The vulnerability was identified during Penetration Testing, on the following Dreambox model:

During post-exploitation, penetration testers may use a linux/mipsle meterpreter payload to get a shell on DreamBox devices.

Recommendation

CENSUS strongly recommends to all users of e2openplugin-OpenWebif to update to the latest available version of the code. The commit that fixes the aforementioned issue is 09a050c8f04afd3bb4a14af98994be255aae10d9. At the time of writing, there is no official release containing this commit.

Disclosure Timeline

Vendor Contact:June 21st, 2017
Vendor Triaged Vulnerability (HIGH):June 21st, 2017
MITRE Assigned CVE:June 22nd, 2017
Initial Vendor Patch:June 24th, 2017
Final Vendor Patch:September 15th, 2017
Public Advisory:October 2nd, 2017