Exploiting an unpatched flaw in daloRADIUS 1.1-2 to obtain a reverse shell

daloRADIUS is an advanced RADIUS web management application aimed at managing hotspots and general-purpose ISP deployments. It features user management, graphical reporting, accounting, a billing engine and it integrates with Google Maps. It is based on a FreeRADIUS deployment with a database server, serving as the backend. It is written in PHP and JavaScript, utilizing a database abstraction layer to support many relational database management systems. The latest version of daloRADIUS (1.1-2 at the time of writing) uses an outdated version of DOMPDF (0.5.1). This document, firstly, presents how we have managed to confirm the presence of a known vulnerability (CVE-2010-4879) related to DOMPDF 0.5.1 in a running deployment of daloRADIUS 1.1-2. Secondly, a detailed attack scenario, accompanied by an exploit written in Python 3, has been presented to illustrate how an attacker can exploit the aforementioned vulnerability and obtain a reverse shell on the victim machine hosting daloRADIUS 1.1-2. Finally, a patched version of daloRADIUS, forked from the official GitHub repository and released on another Github repository under our control, has been presented.