Allsky WebUI Path Traversal Vulnerability Leading to Remote Code Execution

A path traversal vulnerability has been identified in Allsky WebUI version v2024.12.06_06. This vulnerability allows an unauthenticated remote attacker to execute arbitrary commands on the underlying operating system, resulting in full remote code execution. The issue arises in the execute.php file within the html directory, where user-supplied input in the id parameter is not properly validated before being passed to the exec() function. Exploitation involves sending a crafted HTTP request to the execute.php endpoint with a malicious payload that includes path traversal sequences, bypassing intended command restrictions and executing unauthorized commands under the application's privileges.

Impact

Successful exploitation of this vulnerability allows for arbitrary command execution on the server, with the executed commands running under the application's user privileges. This could lead to a complete compromise of the server, allowing an attacker to execute any command, potentially including those that could escalate privileges or access sensitive information.

Reproduction

To reproduce this vulnerability, send a request to the Allsky WebUI execute.php endpoint with a crafted id parameter that includes path traversal sequences. The payload should be designed to traverse out of the intended directory and into a location where sensitive binaries or scripts can be accessed. Once the payload is executed, the command execution can be verified by appending a command like 'whoami' or 'cat /etc/passwd' to the payload, which will return the output of the command executed on the server.

Remediation

Users are advised to update to the latest version of Allsky WebUI, as this vulnerability has been addressed in version v2024.12.06_07. For those unable to update, a temporary workaround is to disable the WebUI or restrict access to the execute.php endpoint.