CVE-2019-25024
📋 TL;DR
CVE-2019-25024 is an unauthenticated command injection vulnerability in OpenRepeater (ORP) that allows remote attackers to execute arbitrary commands on the server by sending specially crafted POST requests with shell metacharacters. This affects all OpenRepeater installations before version 2.2 that have the vulnerable functions/ajax_system.php endpoint accessible.
💻 Affected Systems
- OpenRepeater (ORP)
📦 What is this software?
Openrepeater by Alleghenycreative
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise leading to full remote code execution, data theft, installation of persistent backdoors, and potential pivot to internal networks.
Likely Case
Remote attacker gains shell access to the OpenRepeater server, can modify configurations, disrupt repeater operations, and potentially access connected radio equipment.
If Mitigated
With proper network segmentation and access controls, impact limited to the OpenRepeater application server only.
🎯 Exploit Status
Multiple public proof-of-concept exploits available. Exploitation requires only HTTP POST request with shell metacharacters in post_service parameter.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.2 and later
Vendor Advisory: https://github.com/OpenRepeater/openrepeater/issues/66
Restart Required: No
Instructions:
1. Backup current configuration. 2. Update OpenRepeater to version 2.2 or later. 3. Verify the update completed successfully. 4. Test system functionality.
🔧 Temporary Workarounds
Block Vulnerable Endpoint
linuxUse web server configuration to block access to the vulnerable functions/ajax_system.php file
# For Apache: Add to .htaccess or virtual host config
<Files "functions/ajax_system.php">
Order allow,deny
Deny from all
</Files>
# For Nginx: Add to server block
location ~ /functions/ajax_system\.php$ {
deny all;
return 403;
}
Input Validation Filter
linuxAdd input validation to sanitize post_service parameter before processing
# Add to functions/ajax_system.php before line 14
$post_service = escapeshellarg($_POST['post_service']);
🧯 If You Can't Patch
- Immediately restrict network access to OpenRepeater web interface using firewall rules to allow only trusted IP addresses.
- Implement a web application firewall (WAF) with command injection detection rules in front of the OpenRepeater installation.
🔍 How to Verify
Check if Vulnerable:
Check if OpenRepeater version is below 2.2 by visiting the web interface and checking version in footer or system info page.Check Version:
grep -i version /var/www/openrepeater/includes/config.php 2>/dev/null || echo "Check web interface footer"Verify Fix Applied:
After updating to version 2.2 or later, verify the version number in the web interface and test that the system functions normally.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /functions/ajax_system.php containing shell metacharacters like ;, |, &, $, (, ), `, or >
- Unusual process execution from web server user (www-data, apache, nginx)
- Multiple failed authentication attempts followed by successful POST to vulnerable endpoint
Network Indicators:
- HTTP POST requests with unusual parameters or shell characters in post_service field
- Outbound connections from OpenRepeater server to suspicious IPs or domains
SIEM Query:
source="web_server_logs" AND uri="/functions/ajax_system.php" AND (post_service="*;*" OR post_service="*|*" OR post_service="*&*" OR post_service="*`*" OR post_service="*$(*" OR post_service="*>*")