Headline
CVE-2023-24479: TALOS-2023-1762 || Cisco Talos Intelligence Group
An authentication bypass vulnerability exists in the httpd nvram.cgi functionality of Yifan YF325 v1.0_20221108. A specially crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger this vulnerability.
SUMMARY
An authentication bypass vulnerability exists in the httpd nvram.cgi functionality of Yifan YF325 v1.0_20221108. A specially crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger this vulnerability.
CONFIRMED VULNERABLE VERSIONS
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Yifan YF325 v1.0_20221108
PRODUCT URLS
YF325 - https://yifanwireless.com/entry-level-wifi-router/yf325-series-gprs/3g/4g-wifi-router-with-sim-card-slot.html
CVSSv3 SCORE
9.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE
CWE-284 - Improper Access Control
DETAILS
The Yifan YF325 is an industrial cellular router. This device is designed for M2M and IOT applications, allowing remote management, offering several VPN services and many other features.
The YF325 router provides a series of APIs. The API that manages the nvram.cgi* endpoints uses the httpd’s parse_nvram_file function to manage the incoming data:
void parse_nvram_file(undefined4 param_1,int fd,size_t content_length)
{
[...]
do {
if ((int)content_length < 1) break;
read_size = 0x400;
if (content_length + 1 < 0x401) {
read_size = content_length + 1;
}
read_bytes = wfgets(temp_buf,read_size,fd);
if (read_bytes == 0) {
return;
}
current_len = strlen(temp_buf);
content_length = content_length - current_len;
is_equal = strncasecmp(temp_buf,"Content-Disposition:",0x14);
} while ((is_equal != 0) || (pcVar3 = strstr(temp_buf,"name=\"file\""), pcVar3 == (char *)0x0));
while (0 < (int)content_length) {
read_bytes = wfgets(temp_buf,0x400,fd);
if (read_bytes == 0) {
return;
}
current_len = strlen(temp_buf);
content_length = content_length - current_len;
is_equal = strcmp(temp_buf,"\n");
if ((is_equal == 0) || (is_equal = strcmp(temp_buf,"\r\n"), is_equal == 0)) break;
}
[...]
restore_fd = fopen("/tmp/restore.bin","wb");
[... read the request's uploaded file and write it into the "/tmp/restore.bin" file ...]
res = nvram_restore("/tmp/restore.bin");
[...]
return;
}
The nvram_restore function will open the file specified by the first argument, parse it and commit the new nvram variables. Because this function is reachable prior to authentication, this is a vulnerability. Indeed, an attacker could change the admin credentials of the device and obtain root access.
TIMELINE
2023-06-28 - Initial Vendor Contact
2023-07-06 - Vendor Disclosure
2023-10-11 - Public Release
Discovered by Francesco Benvenuto of Cisco Talos.
Related news
Attackers could exploit these vulnerabilities in the Yifan YF325 to carry out a variety of attacks, in some cases gaining the ability to execute arbitrary shell commands on the targeted device.