exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

MajorDoMo Remote Code Execution

MajorDoMo Remote Code Execution
Posted Dec 20, 2023
Authored by Valentin Lobstein

MajorDoMo versions prior to 0662e5e suffer from an unauthenticated remote code execution vulnerability.

tags | exploit, remote, code execution
advisories | CVE-2023-50917
SHA-256 | 230b495a6b7565bbb5d5945866c2290e007fca5c2b4cb6c9a1eee7926b83eddc

MajorDoMo Remote Code Execution

Change Mirror Download
**Introduction**

MajorDoMo, a beacon in Russian home automation and particularly favored by Raspberry Pi aficionados, has been a trusted name for over a decade. With over 380 stars on its official GitHub repository at the time of writing (https://github.com/sergejey/majordomo), its popularity is evident. However, lurking within its `thumb.php` module is a severe unauthenticated Remote Code Execution (RCE) vulnerability before 0662e5e.
NOTE: this is unrelated to the Majordomo mailing-list manager.

**Disclosure Timeline:**

- October 28, 2023: Initial discovery of the vulnerability (CVE-2023-50917).
- October 29, 2023: Contacted MajorDoMo team detailing the vulnerability.
- November 6, 2023: After no response from MajorDoMo's team for over a week, submitted a CVE request to the appropriate CNA.
- November 14, 2023: New attempt to contact the MajorDoMo team. Received a response from the team within a few hours. The patch has been applied.
- December 15, 2023: Public disclosure of CVE-2023-50917.

**Technical Background: The Vulnerable Code**

The script `/modules/thumb/thumb.php` is primarily designed for thumbnail generation in MajorDoMo. It serves to facilitate the creation of thumbnails from various media sources. But within this benign purpose lies a significant vulnerability:

**Key Code Snippets and Analysis:**

1. **URL Decoding:**
PHP code: $url = base64_decode($url);
The script takes a base64 encoded `url` parameter and decodes it. This decoding process is pivotal, as it allows attackers to obfuscate their payloads, skirting around simple checks.

2. **Pattern Checks:**
PHP code: if (preg_match('/^rtsp:/is', $url) || preg_match('/\/dev/', $url)) { ... }
The script then checks if the decoded `url` adheres to specific patterns (`rtsp:` or `/dev`). This is a rudimentary check to decide whether to process the URL. With the help of base64 encoding, it becomes trivial for attackers to bypass this verification.

3. **Direct Command Construction:**
PHP code: if ($_GET['transport']) { $stream_options = '-rtsp_transport ' . $_GET['transport'] . ' ' . $stream_options; }
Here lies the crux of the vulnerability. The `transport` parameter is taken directly and embedded within a system command without adequate sanitization. This glaring oversight allows for arbitrary command injections. By crafting the `transport` parameter, an attacker can introduce and execute arbitrary commands. The subsequent command is executed via the `exec` function, which poses a significant security risk.

**The Core Vulnerability**

The vulnerability's essence is the unchecked and unsanitized user input (from the `transport` parameter) that gets directly incorporated into a system command. This allows attackers to run arbitrary commands on the server, potentially taking full control of the MajorDoMo instance.

**Exploitation Avenues:**

1. **Bypassing URL Validation:**
The script's initial validation checks for patterns such as `rtsp:` or `/dev`. By using base64 encoded strings like `cnRzcDovL2EK` (decoding to `rtsp://a`), these checks can be easily bypassed.

2. **Command Injection via the `transport` Parameter:**
The `transport` parameter is used directly within a system command. With no sanitization in place, this can be exploited for command injections, leading to RCE. For instance, the command `||echo; echo $(command_here)` can be used to break out of the intended command and execute any arbitrary command.

**Potential Impact**

The severity of this RCE vulnerability is high. Given MajorDoMo's integral role in home automation, successful exploitation can result in an attacker compromising physical security systems, gaining access to surveillance cameras, or even taking control of other connected IoT devices.

**Recommendations for Mitigation**

- Thorough Input Validation: It is essential to rigorously validate all inputs. This can prevent malicious payloads from being processed.
- Sanitize Before Execution: Inputs should be sanitized before being incorporated into any system commands.
- Limit Direct Command Execution: Prefer using built-in PHP functions or secure APIs over direct system command execution.

**Conclusion**

This vulnerability underscores the importance of thorough code reviews and robust input validation. Even established software projects like MajorDoMo are not immune to critical vulnerabilities. The discovery serves as a reminder of the ever-present need for diligence and a proactive approach to security in all software development stages.

Please refer to https://nvd.nist.gov/vuln/detail/CVE-2023-50917

Valentin Lobstein

Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close