Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-33325: TALOS-2022-1573 || Cisco Talos Intelligence Group

Multiple command injection vulnerabilities exist in the web_server ajax endpoints functionalities of Robustel R1510 3.3.0. A specially-crafted network packets can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.The /ajax/clear_tools_log/ API is affected by command injection vulnerability.

CVE
#vulnerability#web#cisco#intel

Summary

Multiple command injection vulnerabilities exist in the web_server ajax endpoints functionalities of Robustel R1510 3.3.0. A specially-crafted network packets can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.

Tested Versions

Robustel R1510 3.3.0

Product URLs

R1510 - https://www.robustel.com/en/product/r1510-industrial-cellular-vpn-router/

CVSSv3 Score

9.1 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

Details

The R1510 is an industrial cellular router. It offers several advanced software like an innovative use of Open VPN, Cloud management, data over-use guard, smart reboot and others

The R1510 has a web server that manages several endpoints. One group of endpoints have the following form /ajax/<API_endpoint>/. Several of those endpoints use unsafe functions with user provided parameters, like the standard system function, and a custom one called sysprintf.

Here it is sysprintf:

void sysprintf(char *format_string,char *param_2,char *char*,char *param_4)

{
  [...]

  va_list_ptr = va_list;
  va_list[0] = param_2;
  va_list[1] = char*;
  va_list[2] = param_4;
  vsnprintf(shell_command,0x200,format_string,va_list_ptr);                                             [1]
  system(shell_command);                                                                                [2]
  return;
}

At [1] a string is formatted, using the first argument of the function as format string and the others parameters as format string arguments. If one of the argument is controllable by an attacker a command injection would occur at [2].

CVE-2022-33325 - /ajax/clear_tools_log/ command injection

This command injection is in the /ajax/clear_tools_log/ API.

The function that handles that endpoint is:

undefined4 /ajax/clear_tools_log/(Webs *webs)

{
  [...]

  [...]
      tools_name = (char *)websGetVar(webs,"tools_name",0);                                             [3]
      iVar1 = string_is_not_empty(tools_name);
      if (iVar1 != 0) {
        TOOLS_LOG_FILE_MARK = websGetSessionVar(webs,"_:TOOLS_LOG_FILE_MARK:_","0");
        pcVar5 = (char *)sfmt("rm %s/wlf_%s_%s.log -rf","/tmp/log/tools",tools_name,                    [4]
                              TOOLS_LOG_FILE_MARK);
        iVar1 = system(pcVar5);                                                                         [5]
        [...]

At [3] the tools_name variable is fetched and then, at [4], used to format a string. The formatted string is then used at [5] as argument for the system function. This can lead to a command injection.

CVE-2022-33326 - /ajax/config_rollback/ command injection

This command injection is in the /ajax/config_rollback/ API.

The function that handles that endpoint is:

undefined4 /ajax/config_rollback/(Webs *webs)

{
  [...]

  [...]
        archive_param = websGetVar(webs,"archive",0);                                                   [6]
        iVar4 = dir_exists("/app/config/rollback_archive");
        iVar1 = -1;
        if (iVar4 != 0) {
          sysprintf("mkdir -p %s","/tmp/config_rollback");
          iVar1 = sysprintf("tar -C %s -zxf %s/%s.tgz && uci -c import %s/config.xml && rm %s -rf",
                            "/tmp/config_rollback","/app/config/rollback_archive",archive_param,
                            "/tmp/config_rollback","/tmp/config_rollback");                             [7]
          iVar1 = -(uint)(iVar1 != 0);
        }

At [6] the archive variable is fetched and then used as argument of the sysprintf function at [7]. This can lead to a command injection.

CVE-2022-33327 - /ajax/remove_sniffer_raw_log/ command injection

This command injection is in the /ajax/remove_sniffer_raw_log/ API.

The function that handles that endpoint is:

undefined4 /ajax/remove_sniffer_raw_log/(Webs *webs)

{
  [...]

  [...]
      file_name = (char *)websGetVar(webs,"file_name",0);                                               [8]
      if ((file_name != (char *)0x0) && (pcVar5 = strstr(file_name,".."), pcVar5 == (char *)0x0)) {
        shell_command = (char *)sfmt("rm %s/%s -rf","/tmp/log/sniffer",file_name);                      [9]
        iVar1 = system(shell_command);                                                                  [10]
        [...]

At [8] the file_name variable is fetched and then, at [9], used to format a string. The formatted string is then used at [10] as argument for the system function. This can lead to a command injection.

CVE-2022-33328 - /ajax/remove/ command injection

This command injection is in the /ajax/remove/ API.

The function that handles that endpoint is:

undefined4 /ajax/remove/(Webs *webs)

{
  [...]

  [...]
      file_name = (char *)websGetVar(webs,"file_name",0);                                               [11]
      if ((file_name != (char *)0x0) &&
         (shell_command = strstr(file_name,".."), shell_command == (char *)0x0)) {
        shell_command = (char *)sfmt("rm %s -rf",file_name);                                            [12]
        iVar1 = system(shell_command);                                                                  [13]
        [...]
}

At [11] the file_name variable is fetched and then, at [12], used to format a string. The formatted string is then used at [13] as argument for the system function. This can lead to a command injection.

CVE-2022-33329 - /ajax/set_sys_time/ command injection

This command injection is in the /ajax/set_sys_time/ API.

The function that handles that endpoint is:

undefined4 /ajax/set_sys_time/(Webs *webs)

{
  [...]

  [...]
      date = websGetVar(webs,"date",0);                                                                 [14]
      if ((date != 0) && (iVar3 = string_is_empty(date), iVar3 == 0)) {
        sysprintf("date \"%s\"",date);                                                                  [15]
        [...]
}

At [14] the date variable is fetched and then used at [15] as argument of the sysprintf function. This can lead to a command injection.

Timeline

2022-06-27 - Initial vendor contact
2022-06-28 - Vendor Disclosure
2022-06-30 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

Related news

The many vulnerabilities Talos discovered in SOHO and industrial wireless routers post-VPNFilter

Given the privileged position these devices occupy on the networks they serve, they are prime targets for attackers, so their security posture is of paramount importance.

Vulnerability Spotlight: Multiple issues in Robustel R1510 cellular router could lead to code execution, denial of service

Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.  Cisco Talos recently discovered nine vulnerabilities in the Robustel R1510 industrial cellular router, several of which could allow an adversary to inject operating system code remotely.  The Robustel R1510 router is a dual-ethernet port wireless router that shares 3G and 4G wireless signals for use in industrial and internet-of-things environments. The router includes the use of open VPN tunneling, a cloud management platform to manage other devices and routers and different safeguards to manage data caps. Talos discovered five operating system command injection vulnerabilities in the router that an adversary could trigger by sending the targeted device a specially crafted network request. All these vulnerabilities have a CVSS severity score of 9.1 out of 10:  TALOS-2022-1578 (CVE-2022-34850)  TALOS-2022-1577 (CVE-2022-33150)  TALOS-2022-1576 (CVE-2022-32765)  TALOS-2022-1573 (CVE-2022-33325 ...

Vulnerability Spotlight: Multiple issues in Robustel R1510 cellular router could lead to code execution, denial of service

Cisco Talos recently discovered nine vulnerabilities in the Robustel R1510 industrial cellular router, several of which could allow an adversary to inject operating system code remotely.

Vulnerability Spotlight: Command injection vulnerabilities in Robustel cellular router

Lilith >_> of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.  Cisco Talos recently discovered four vulnerabilities in the Robustel R1510 industrial cellular router.  The R1510 is a portable router that shares 2G, 3G and 4G wireless internet access. It comes with... [[ This is only the beginning! Please visit the blog for the complete entry ]]

Vulnerability Spotlight: Command injection vulnerabilities in Robustel cellular router

Lilith >_> of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.  Cisco Talos recently discovered four vulnerabilities in the Robustel R1510 industrial cellular router.  The R1510 is a portable router that shares 2G, 3G and 4G wireless internet access. It comes with... [[ This is only the beginning! Please visit the blog for the complete entry ]]

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907