<aside> 💡
CVE-2024-44373 is a Path Traversal vulnerability in AllSky v2023.05.01_04 allows an unauthenticated attacker to create a webshell and remote code execution via the path, content parameter to /includes/save_file.php.
</aside>
Hello everyone, I’m Twan, a student from the K10 class at Cookie Arena. Over the past time, with the wholehearted support from teacher Hazy and all my brothers in the organization, I’ve finally managed to submit my very first CVE. I just want to say a big thanks to the teacher and everyone at Cookie Hân Hoan for always being there to help and care for me 🙂
First, we need to understand what Allsky is. To effectively find vulnerabilities, it's crucial to have a clear grasp of the target.
<aside> 🌔
Allsky is a type of camera or imaging system designed to observe the entire sky. These cameras are commonly used in astronomy to monitor celestial phenomena such as meteors, auroras, and other atmospheric events. They typically feature a fisheye lens, allowing them to capture a full view of the sky from horizon to horizon.
</aside>
*The view from Allsky Camera*
The attack surface I’m targeting is the Allsky WebUI—a web-based user interface designed to interact with and manage the Allsky camera system. It enables users to control, configure, and monitor the camera’s activities remotely. Since this is an open-source project, my task now is to leverage all the skills I have, to dive into it!
This time, I decided to focus solely on the Front End part of the product. This helps me clearly pinpoint my target and makes it easier to carry out BlackBox Testing, since I can map the code directly to the Allsky web interface.
Each Allsky device comes with its own web page, complete with a unique IP address and port for users to access. I went onto Shodan to search for these Allsky devices:
When I tried searching with the keyword “Allsky,” I got 140 results. However, when I attempted to access one of them, it asked for a username and password to log in.
When we access the raspap.php file in the source code, we see the following content:
<?php
// Default admin username and password:
$config = array(
'admin_user' => 'admin',
'admin_pass' => '$2y$10$YKIyWAmnQLtiJAy6QgHQ.eCpY4m.HCEbiHaTgN6.acNC6bDElzt.i'
);
// Can be overridden by what's in this file, if it exists:
if(file_exists(RASPI_ADMIN_DETAILS)) {
if ( $auth_details = fopen(RASPI_ADMIN_DETAILS, 'r') ) {
$config['admin_user'] = trim(fgets($auth_details));
$config['admin_pass'] = trim(fgets($auth_details));
fclose($auth_details);
}
}
?>
So, by default, the username for Allsky's web pages is "admin," and the password is some hashed string. On the other hand, if you search on Google, you’ll find that the default username and password for the Allsky Camera are "admin" and "secret," respectively. When I tried these on the website I just accessed, I was able to log in.
In reality, this can be seen as an existing flaw in the product, though its impact isn’t severe. To prevent unauthorized access to your Allsky camera, simply change the default password.
In the save_file.php script, which powers the "Save Changes" feature in the Script Editor under the Editor tab on the Allsky website, we have the following PHP code: