The Vitec Flamingo device exposes the gen_graphs.php endpoint, which is responsible for generating graphical representations of monitoring data using RRDTool. The endpoint accepts several user-controlled parameters that are subsequently incorporated into shell commands executed on the underlying operating system.
The endpoint /gen_graphs.php accepts multiple GET parameters, including start, end, key, and format.
Figure 1 : gen_graphs.php Endpoint
The script collects these parameters and stores them in the $params array before loading the appropriate graph generation script:
Code$params = [
'type' => @$_GET['type'],
'key' => @$_GET['key'],
];
...
$params[$param] = array_key_exists($param, $_GET)
? $_GET[$param]
: $default_value;
The selected graph generation script subsequently uses these user-supplied values to construct shell commands that are executed through passthru(). The parameters are incorporated into the command line without proper neutralization of shell metacharacters.
The gen_graphs.php file include filepath constructed with unsanitized user inputs so we can control the file to be included as long as it ends with .inc.php:
Figure 2 : Unsantize user inputs to build filepath
Then the function generate_function is called from that particular file included:
Figure 3 : Unsanitize user inputs to build cmd command
The generateImage function is then called and uses passthru() without any verifications:
Figure 4 : Unsafe passthru() Usage
Because the application fails to validate or escape the start, end, key, and format parameters before passing them to the shell, an attacker can inject arbitrary operating system commands.
Furthermore, the endpoint does not enforce authentication. As a result, a remote unauthenticated attacker can directly reach the vulnerable functionality and trigger command execution.
On affected devices, the web server context has passwordless sudo permissions, causing injected commands to execute with root privileges.
To exploit the vulnerability:
Figure 5 : RCE PoC
The injected command is then executed on the device with root privileges.
Successful exploitation of this vulnerability may lead to significant impacts, including:
Unlike authentication bypass vulnerabilities, exploitation only requires sending a crafted HTTP request to the exposed endpoint. The root cause is the incorporation of untrusted input into shell commands executed via passthru() without proper sanitization.