Emoncms Remote Code Execution Vulnerability in Firmware Upload Feature

A remote code execution vulnerability has been identified in Emoncms version 11.7.3. This issue arises in the firmware upload feature, specifically within the '/admin/upload-custom-firmware' endpoint. The vulnerability allows authenticated users to execute arbitrary commands on the target system by manipulating user-controlled parameters, including filename, port, baud_rate, core, and autoreset. The root cause of this vulnerability is insufficient input validation of these parameters, which enables the execution of commands with the application's privileges.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary commands on the server where Emoncms is running.

Reproduction

To reproduce this vulnerability, authenticate to the application with valid admin credentials. Then, send a POST request to the '/admin/upload-custom-firmware' endpoint. In the request, include a payload that manipulates the filename parameter to inject shell commands. The injected command will be executed on the server, demonstrating the ability to run arbitrary commands with the privileges of the web application. This vulnerability can also be reproduced by injecting commands through the other vulnerable parameters: port, baud_rate, core, and autoreset.

Remediation

Users are advised to update to the latest version of Emoncms, where this vulnerability has been addressed. For those unable to update, it is recommended to disable the firmware upload feature or implement server-side validation and sanitization of the upload parameters to prevent command injection.