RaspAP WebGUI Directory Traversal Vulnerability in WireGuard Key Generation Interface

A directory traversal vulnerability has been identified in RaspAP WebGUI version 3.3.1, specifically within the WireGuard key generation interface located at '/ajax/networking/get_wgkey.php'. This vulnerability allows authenticated attackers to send crafted POST requests that exploit path traversal in the 'entity' parameter. The exploitation involves overwriting arbitrary files that are writable by the web server, using the 'tee' command to manipulate file outputs. This could lead to unauthorized file modifications, site defacement, or potentially remote code execution.

Impact

Exploitation of this vulnerability allows for authenticated arbitrary file overwriting. Any file writable by the 'www-data' user can be replaced, leading to possible site defacement or disruption of service. Additionally, if the vulnerability is used to write a PHP web shell or alter configuration files, it could result in remote code execution.

Reproduction

To reproduce this vulnerability, log into RaspAP WebGUI with valid credentials. Then, send a POST request to '/ajax/networking/get_wgkey.php' with the 'entity' parameter set to a crafted value that includes path traversal payloads, such as '../var/www/html/index.php' followed by additional data. This request will overwrite the specified file with output from the WireGuard key generation process.

Remediation

It is recommended to replace 'escapeshellcmd()' with 'escapeshellarg()' to properly sanitize the 'entity' parameter. Additionally, input should be validated to allow only alphanumeric characters, underscores, and hyphens, and to disallow path traversal sequences. Consider removing the use of shell commands altogether and utilizing native PHP file and cryptographic functions instead.