Question about Command Injection

Popsicle · November 16, 2023, 7:06pm

I was just taking a look at this file at my openwrt system(OpenWrt 17.01, Lua version 5.1.5).

At the file, i can see following scripts

~~~
local timeout = uci_cursor:get("dynapoint", "internet", "timeout")
~~~
function do_internet_check(host)
  if (curl == 1 ) then
    if (curl_interface) then
      result = os.execute("curl -s -m "..timeout.." --max-redirs 0 --interface "..curl_interface.." --head "..host.." > /dev/null")
    else
      result = os.execute("curl -s -m "..timeout.." --max-redirs 0 --head "..host.." > /dev/null")
    end
  else
    result = os.execute("wget -q --timeout="..timeout.." --spider "..host)
  end
  if (result == 0) then
    return true
  else
    return false
  end
end

If, that do_internet_check(host) function is used somewhere,
i think someone can use command injection attack.
like setting that timeout value manually, such as ; reboot,

Then, when
result = os.execute("curl -s -m "..timeout.." --max-redirs 0 --interface "..curl_interface.." --head "..host.." > /dev/null")
script is executed, it's gonna reboot the system.

Am i right?

eduperez · November 16, 2023, 7:24pm

That version is not old, it's ancient... even if it has security bugs, I doubt nobody is going to fix them.

flygarn12 · November 16, 2023, 8:50pm

It seems interesting!
We really don’t know if the problem still exist, you need to examine the current source code for that.

The package seems to be still alive but it is not managed by OpenWrt, you do have the source code link and bug report link in the package link you included in the first post.

psherman · November 17, 2023, 6:27am

If you're worried about command injection, it is a bit surprising that you'd be running such an old version of OpenWrt.

What device is this?

ubus call system board

stragies · November 17, 2023, 10:43am

FFIW, it seems, that the quoted function is still present in the most recent(22.03) source code of the package. That file was last modified 6 years ago. I did not check, if the host variable input to the function do_internet_check(host) is sanitized everywhere it is used.

remittor · November 17, 2023, 10:56am

So, without admin/root rights, you will not be able to use this method of executing commands.
So everything is fine with security.