A vulnerability was identified in the saveConfig() function of /plugin/controllers/models/config.py. The vulnerability allows Remote Code Execution to the host that runs OpenWebif. It is worth noting that on Dreambox devices OpenWebIf runs under the privileges of the root user.
CENSUS engineers have discovered that changing the service settings via the web interface issues an HTTP GET request to /api/saveconfig with 3 parameters. The parameters are key, value and _.
Auditing the saveConfig code that manipulated those parameters, shows that an unsafe eval() call is performed on the path function argument which contains the key HTTP parameter value, that is controlled by the Frontend.
def saveConfig(path, value):
cnf = eval(path)
Directly writing Python code into the key HTTP GET parameter resulted to Python code execution on the Backend. Triggering this command injection vulnerability to gain OS command execution through the Python interpreter can be achieved by an expression such as __import__("os").system("exit 0") (with "exit 0" being the arbitrary OS command).
The vulnerability was identified during Penetration Testing, on the following Dreambox model:
During post-exploitation, penetration testers may use a linux/mipsle meterpreter payload to get a shell on DreamBox devices.
CENSUS strongly recommends to all users of e2openplugin-OpenWebif to update to the latest available version of the code. The commit that fixes the aforementioned issue is 09a050c8f04afd3bb4a14af98994be255aae10d9. At the time of writing, there is no official release containing
remote code execution