AXIOM WebRemote Security Recon
Open, Needs TriagePublic

Description

It seems that although lighttpd is configured, it is not directly shipped. Accidentally exposing it to a network could have drastic impact.

The ajax request address is made over http - while this may be appropriate on "localhost" only environments, in case this page is called from an external device via wifi or ethernet, it won't be served in an encrypted fashion:

url: "http://" + serverIP + "/api/settings",

This may become an issue in July when chrome begins flagging HTTP resources by default - and who knows how long until http is not accepted any more at all...

More concerning, however is the fact that PHP is regularly executing bash scripts with sudo level permissions on files in /root - I would be wary of EVERY avenue of access. A trivial hack would be to:

  • set up dhcp service from laptop over eth
  • attach the laptop via eth
  • ping sweep for clients
  • visit the apertus localhost server
  • use this crafted url: http://192.168.0.2/AxiomVision/AxiomVision.php?set=gamma&value='; sudo rm -rf /*' or something else stupid.

SUGGESTIONS:

  • sanitize all userland inputs from php
  • whitelist input expectations
  • place system calls to shell scripts in a wrapping script
  • remove web/lighttpd from sudoers
  • revise http to https in lighttpd.conf
  • consider a device SSL cert pathway with ipv6 / let's encrypt
  • see this gist for lighttpd ideas
nothingismagick updated the task description. (Show Details)
nothingismagick raised the priority of this task from to Needs Triage.
nothingismagick added a subscriber: nothingismagick.
jatha added a subscriber: jatha.EditedFeb 19 2018, 10:22 PM

All the PHP is still from the axiom alpha and will be deprecated in favour of the new REST api. (correct me if Im wrong).
Some of your suggestions are already taken care of in the next-gen firmware on github (ie. lighttpd not having sudo rights)

The SSL part is a good idea, but i think It could be quite difficult to implement on a device thats often not connected to the internet.

sebastian renamed this task from ControlGUI Security Recon to AXIOM WebRemote Security Recon.Feb 24 2018, 5:35 PM