CVE-2023-38316

Vulnerability

OpenNDS Captive Portal before version 10.1.2 contains a code injection vulnerability. When the custom unescape callback is enabled, an attacker can insert arbitrary OS commands into the URL portion of HTTP GET requests. The fix, applied in version 10.1.3, removed the deprecated and non-functioning unescape callback [1], [2].

Exploitation

An attacker must be able to send HTTP GET requests to the captive portal, which typically requires network access to the portal (often unauthenticated). By injecting command separators and payloads into the URL query string, the attacker can cause the server to execute arbitrary shell commands. No prior authentication is needed if the portal is exposed [1].

Impact

Successful exploitation results in remote code execution (RCE) as the user running the OpenNDS service. This gives the attacker full control over the affected device, including the ability to modify system files, exfiltrate data, or pivot to other networks. The vulnerability affects all deployments using the vulnerable unescape callback configuration [1].

Mitigation

Update OpenNDS to version 10.1.3 or later. For OpenWrt users, the fix was included in OpenWrt master, OpenWrt 23.05, and OpenWrt 22.03 on August 28, 2023 [2]. Sierra Wireless also addressed the vulnerability in ALEOS 4.17 released in October 2023 [3]. No workarounds other than disabling the custom unescape callback or upgrading have been documented.