Executive summaryA critical command injection vulnerability was discovered in the `admin/ajax/ping.php` endpoint of the Vitec administration interface. Although user input is properly protected using `escapeshellarg()`, the `/usr/share/commands/ping` script reuses this value without escaping before executing it via `shell_exec()`. This flaw allows an unauthenticated attacker to inject arbitrary commands and execute them with root privileges on the server.
Context
The Vitec Flamingo administration interface exposes an endpoint that allows administrators to perform network connectivity tests. This endpoint passes a user-controlled value to a system utility responsible for executing a ping command.
Attack Vectors
- Network Access: Remote
- Authentication Required: None
- User Interaction: None
- Injection Point: Network endpoint
Vulnerability Details
The endpoint /admin/ajax/ping.php accepts a POST request containing the host parameter, then executes the system wrapper /usr/share/commands/ping as root:
Figure 1 : ping.php Endpoint
Before execution, the value of host is properly protected using escapeshellarg(), preventing command injection at this stage.
Figure 2 : Code of the /usr/share/commands/ping wrapper
The /usr/share/commands/ping wrapper then retrieves this value from $argv[1] and uses it to build a new system command executed via shell_exec(). Unlike ping.php, this second step performs no escaping or additional validation of the user input.
This unsafe reuse results in a second interpretation of the data by the shell, allowing the injection and execution of arbitrary commands with root privileges.
Proof of Concept (PoC)
To exploit the vulnerability:
- Send a request to admin/ajax/ping.php.
- Provide a malicious value in the host parameter.
- The wrapper will execute the injected command when calling shell_exec().
Figure 3 : Remote RCE PoC
The id command is then executed on the server with root privileges.
Risk and Impact
Successful exploitation of this vulnerability may lead to significant impacts, including:
- Execution of arbitrary commands on the server.
- Execution with root privileges via sudo.
- Full compromise of the device hosting the administration interface.
- The ability to install a backdoor, steal sensitive data, or use the server as a pivot point for lateral movement.
- No bypass of escapeshellarg() is required: the vulnerability results from a second interpretation of the data by the wrapper.
Authors
- Yassine Damiri
- Adam Outikni