WAN Emulator Command Execution Vulnerability Allowing Privilege Escalation

A command execution vulnerability has been identified in WAN Emulator version 2.3. This vulnerability allows unauthenticated users to execute arbitrary commands on the server as the 'www-data' user. The issue arises in the 'result.php' script, which improperly sanitizes input from the 'pc' POST parameter before passing it to the 'shell_exec()' function. Additionally, the application includes a SUID-root binary named 'dosu', which is susceptible to command injection through its first argument. By exploiting both vulnerabilities in tandem, an attacker can achieve full remote code execution and escalate privileges to root.

Impact

Exploitation of this vulnerability leads to unauthorized command execution on the server, with the potential for privilege escalation to the root user.

Reproduction

The vulnerability can be reproduced by sending a POST request to the 'result.php' script with a payload in the 'pc' parameter. The payload can include commands that will be executed on the server. After gaining access as the 'www-data' user, the 'dosu' binary can be used to execute a shell with root privileges.