Narcissus Remote Command Execution Vulnerability in Image Configuration

A remote code execution vulnerability exists in Narcissus, an online tool for creating root filesystem images for devices. The issue arises in the backend.php script, which improperly sanitizes the release parameter before passing it to the configure_image() function. This function uses PHP's passthru() to execute system commands, allowing attackers to inject arbitrary commands that are executed under the web server's context. Exploitation requires sending a crafted POST request.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server, executed in the context of the web server user.

Reproduction

To reproduce this vulnerability, send a POST request to 'backend.php' with the 'action' parameter set to 'configure_image' and the 'release' parameter containing the injected command, prefixed with a pipe character. The 'machine' parameter should also be included.