elecV2 elecV2P Remote Code Execution Vulnerability

A remote code execution vulnerability exists in elecV2 elecV2P versions through 3.8.3. The issue arises in the JSON Parser component, specifically within the runJSFile function of the webhook endpoint. The vulnerability allows for code injection by manipulating the rawcode parameter, which is evaluated as JavaScript, including calls to child_process. This vulnerability has been publicly disclosed and exploited, with confirmation of the code execution via a DNS callback.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server, with the executed code running in the same context as the application, potentially leading to unauthorized access or modification of data, and in some cases, allowing the attacker to execute system commands or scripts.

Reproduction

To reproduce this vulnerability, send a POST request to the /webhook endpoint with a JSON payload that includes a rawcode parameter. The value of rawcode should be crafted JavaScript code that, when executed, performs an action such as calling a child_process function. Include a valid token in the request to bypass authentication checks. Once the request is sent, the injected code will be executed on the server, and if successful, a DNS callback can be used to confirm the exploitation.