CVE-2024-3799

CVE-2024-3799 is an OS command injection vulnerability in the open-source project Phoniebox (a jukebox for Raspberry Pi). The insecure handling of the POST parameter body in requests sent to htdocs/inc.setWifi.php allows an attacker to inject arbitrary shell commands. The issue affects all Phoniebox releases through version 2.7; version 3.0 and later are not vulnerable [1][2].

Exploitation requires no authentication. The attack vector is a crafted POST request to the vulnerable PHP script. A proof-of-concept demonstrates that an attacker can append shell commands to any of the POST parameters (e.g., WIFIpass_ls or WIFIssid_ls). Because Phoniebox is typically deployed on a local network, the most likely attack surface involves an attacker luring a user on the same LAN to visit a malicious website; JavaScript on that site can then send forged POST requests to multiple local hosts, reaching the vulnerable Phoniebox instance [3].

Successful exploitation grants the attacker remote code execution with the privileges of the web server user, leading to full compromise of the vulnerable device. The attacker could install malware, exfiltrate data, or pivot to other systems on the network [1][2].

Phoniebox version 3.0 and higher are not affected. Users running version 2.7 or earlier are strongly advised to upgrade to a supported release. As of the publication date, no official patch for the 2.x branch has been announced; the project's GitHub issue requests a fix [3].