Warning: pg_query(): Query failed: ERROR: missing chunk number 0 for toast value 29512337 in pg_toast_2619 in /dati/webiit-old/includes/database.pgsql.inc on line 138 Warning: ERROR: missing chunk number 0 for toast value 29512337 in pg_toast_2619 query: SELECT data, created, headers, expire, serialized FROM cache_page WHERE cid = 'https://www-old.iit.cnr.it/en/node/58272' in /dati/webiit-old/includes/database.pgsql.inc on line 159 Warning: pg_query(): Query failed: ERROR: missing chunk number 0 for toast value 29512337 in pg_toast_2619 in /dati/webiit-old/includes/database.pgsql.inc on line 138 Warning: ERROR: missing chunk number 0 for toast value 29512337 in pg_toast_2619 query: SELECT data, created, headers, expire, serialized FROM cache_page WHERE cid = 'https://www-old.iit.cnr.it/en/node/58272' in /dati/webiit-old/includes/database.pgsql.inc on line 159 Exploiting an unpatched flaw in daloRADIUS 1.1-2 to obtain a reverse shell | IIT - CNR - Istituto di Informatica e Telematica
IIT Home Page CNR Home Page

Exploiting an unpatched flaw in daloRADIUS 1.1-2 to obtain a reverse shell

daloRADIUS is an advanced RADIUS web management application aimed at managing hotspots and general-purpose ISP deployments. It features user management, graphical reporting, accounting, a billing engine and it integrates with Google Maps. It is based on a FreeRADIUS deployment with a database server, serving as the backend. It is written in PHP and JavaScript, utilizing a database abstraction layer to support many relational database management systems. The latest version of daloRADIUS (1.1-2 at the time of writing) uses an outdated version of DOMPDF (0.5.1). This document, firstly, presents how we have managed to confirm the presence of a known vulnerability (CVE-2010-4879) related to DOMPDF 0.5.1 in a running deployment of daloRADIUS 1.1-2. Secondly, a detailed attack scenario, accompanied by an exploit written in Python 3, has been presented to illustrate how an attacker can exploit the aforementioned vulnerability and obtain a reverse shell on the victim machine hosting daloRADIUS 1.1-2. Finally, a patched version of daloRADIUS, forked from the official GitHub repository and released on another Github repository under our control, has been presented.


2020

IIT authors:

Type: Rapporto Tecnico
Field of reference: Information Technology and Communication Systems
IIT TR-01/2020

File: IIT-01-2020.pdf

Activity: Rete telematica del CNR di Pisa