CVE-2022-31137
📋 TL;DR
CVE-2022-31137 is a critical remote code execution vulnerability in Roxy-WI web interface that allows unauthenticated attackers to execute arbitrary system commands. The vulnerability exists in the subprocess_execute function in /app/options.py where user inputs are not properly sanitized. All Roxy-WI installations prior to version 6.1.1.0 are affected.
💻 Affected Systems
- Roxy-WI
📦 What is this software?
Roxy Wi by Roxy Wi
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands as the Roxy-WI service account, potentially leading to full server takeover, data theft, and lateral movement within the network.
Likely Case
Attackers gain shell access to the server, install malware, create backdoors, and potentially pivot to other systems in the network.
If Mitigated
If properly segmented and monitored, impact could be limited to the Roxy-WI server itself, though data exfiltration and service disruption remain likely.
🎯 Exploit Status
Multiple public exploit scripts available. Attack requires only HTTP access to the vulnerable endpoint with no authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.1.1.0
Vendor Advisory: https://github.com/hap-wi/roxy-wi/commit/82666df1e60c45dd6aa533b01a392f015d32f755
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Stop Roxy-WI service. 3. Update to version 6.1.1.0 or later via git pull or package update. 4. Restart Roxy-WI service. 5. Verify functionality.
🔧 Temporary Workarounds
Network Access Restriction
linuxRestrict network access to Roxy-WI interface using firewall rules
iptables -A INPUT -p tcp --dport [roxy-wi-port] -s [trusted-ips] -j ACCEPT
iptables -A INPUT -p tcp --dport [roxy-wi-port] -j DROP
🧯 If You Can't Patch
- Immediately restrict network access to Roxy-WI interface using firewall rules to only trusted IP addresses
- Monitor system logs and network traffic for exploitation attempts and unusual command execution
🔍 How to Verify
Check if Vulnerable:
Check Roxy-WI version via web interface or configuration files. Versions below 6.1.1.0 are vulnerable.Check Version:
grep -r 'version' /path/to/roxy-wi/config/ or check web interface footerVerify Fix Applied:
Verify version is 6.1.1.0 or higher and test that command injection attempts are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual subprocess_execute calls in Roxy-WI logs
- Suspicious command execution patterns in system logs
- Multiple failed authentication attempts followed by successful command execution
Network Indicators:
- HTTP POST requests to /app/options.py with command injection payloads
- Unusual outbound connections from Roxy-WI server
SIEM Query:
source="roxy-wi" AND ("subprocess_execute" OR "os.system" OR "popen") AND (payload="|" OR payload="$" OR payload="`" OR payload="&&")🔗 References
- http://packetstormsecurity.com/files/167805/Roxy-WI-Remote-Command-Execution.html
- http://packetstormsecurity.com/files/171648/Roxy-WI-6.1.0.0-Improper-Authentication-Control.html
- http://packetstormsecurity.com/files/171652/Roxy-WI-6.1.1.0-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/172547/Roxy-WI-6.1.0.0-Remote-Command-Execution.html
- https://github.com/hap-wi/roxy-wi/commit/82666df1e60c45dd6aa533b01a392f015d32f755
- https://github.com/hap-wi/roxy-wi/security/advisories/GHSA-53r2-mq99-f532
- http://packetstormsecurity.com/files/167805/Roxy-WI-Remote-Command-Execution.html
- http://packetstormsecurity.com/files/171648/Roxy-WI-6.1.0.0-Improper-Authentication-Control.html
- http://packetstormsecurity.com/files/171652/Roxy-WI-6.1.1.0-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/172547/Roxy-WI-6.1.0.0-Remote-Command-Execution.html
- https://github.com/hap-wi/roxy-wi/commit/82666df1e60c45dd6aa533b01a392f015d32f755
- https://github.com/hap-wi/roxy-wi/security/advisories/GHSA-53r2-mq99-f532
