daloRADIUS Web Management RCE
Overview:
SonicWall Capture Labs Threat Research Team has observed the following threat:
daloRADIUS is an advanced RADIUS web management application aimed at managing hotspots and general-purpose ISP deployments. It features user management, graphical reporting, accounting, a billing engine and integrates with GoogleMaps for geo-locating.
A remote code execution vulnerability has been reported for daloRADIUS. The vulnerability is due to improper sanitation on user controlled input during the update configuration process.
A remote, authenticated attacker can exploit this vulnerability by initiating a POST request to the target server. Successful exploitation could result in the execution of arbitrary commands in the security context of the daloRADIUS service on the target server.
CVE Reference:
This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-0048.
Common Vulnerability Scoring System (CVSS):
The overall CVSS score is 8.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C).
Base score is 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), based on the following metrics:
• Attack vector is network.
• Attack complexity is low.
• Privileges required is low.
• User interaction is none.
• Scope is unchanged.
• Impact of this vulnerability on data confidentiality is high.
• Impact of this vulnerability on data integrity is high.
• Impact of this vulnerability on data availability is high.
Temporal score is 8.3 (E:U/RL:O/RC:C), based on the following metrics:
• The exploit code maturity level of this vulnerability is proof of concept.
• The remediation level of this vulnerability is not defined.
• The report confidence level of this vulnerability is confirmed.
Technical Overview:
A sanitation vulnerability exists in daloRADIUS, due to insufficient validation of the post request parameter "config_mail_smtp_fromemail". An HTTP POST request is sent to /config_mail.php with a custom parameter assigned to "config_mail_smtp_fromemail". The variables in $_REQUEST are provided to the script via the POST input mechanisms and therefore could be modified by the remote user and cannot be trusted:
fwrite() writes the contents of data to the file stream pointed to by $fp and $var:
Injected Data:
Executed Code For "config-mail.php":
Attacker attains RCE, modifies server configuration, and elevates permissions (read, modify, delete, and add file).
Triggering the Problem:
• The target must have the vulnerable software installed.
• The attacker must have network connectivity to the target server.
• The attacker must have access to "config_mail_smtp_fromemail" variable.
Triggering Conditions:
The attacker sends an HTTP post request with a malicious "config_mail_smtp_fromemail" parameter. The vulnerability is triggered when the server processes the request.
Attack Delivery:
The following application protocols can be used to deliver an attack that exploits this vulnerability:
• HTTP
• HTTPS
Example Post Request:
Example Post Response:
SonicWall's, (IPS) Intrusion Prevention System, provides protection against this threat:
• IPS: 18863 daloRADIUS Mail Settings RCE
Remediation Details:
The risks posed by this vulnerability can be mitigated or eliminated by:
• Updating to a non-vulnerable version of the product.
• Filtering attack traffic using the signature above.
The vendor has released the following patch regarding this vulnerability:
Vendor Advisory
