CVE-2023-0046

Unrestricted Logging Filename Lead to Remote Code Execution

Vulnerability Explanation

This vulnerability occur because there is no filename restriction or validation during file logging saving process. In this case attacker can set the filename to existing php file and append php code on it by manipulating the logged input.

Vulnerability Type

• Code Injection

CVSS

• CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (High)

Vendor

• daloRADIUS

Affected Version

• daloRADIUS <= 1.3

Proof of Concept

1. Log in using operator account, in this case i try to login using operator1 user which is account that i created with ACL Settings only rep_online enabled

2. 
3. Go to config and click on logging settings. Modify filename to any php file that accessible , e.g update.php then enabled Logging of Queries.

4. 
5. Go to rep_online feature and fill the username with php code, e.g phpinfo()

6. 
7. Go to update.php and you will see that phpinfo() successfully injected

8. 

Exploit Code

# TBU

Tested On

• daloRADIUS version: 1.3

Disclosure Timeline

• 2023-01-03: Vulnerability discovered.

• 2023-01-04: Vulnerability fixed.

• 2023-01-04: Vulnerability reported to the MITRE corporation.

• 2023-01-04: CVE has been assigned.

• 2023-01-04: Public disclosure of the vulnerability.

Researcher

• Achmad Zaenuri Dahlan Putra (kos0ng)

Additional Information

• https://huntr.com/bounties/2214dc41-f283-4342-95b1-34a2f4fea943/

• https://github.com/lirantal/daloradius/commit/2013c2d1231e99dac918247b69b198ded1f30a1c