Headline
CVE-2022-34850: TALOS-2022-1578 || Cisco Talos Intelligence Group
An OS command injection vulnerability exists in the web_server /action/import_authorized_keys/ functionality of Robustel R1510 3.1.16 and 3.3.0. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger this vulnerability.
SUMMARY
An OS command injection vulnerability exists in the web_server /action/import_authorized_keys/ functionality of Robustel R1510 3.1.16 and 3.3.0. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger this vulnerability.
CONFIRMED VULNERABLE VERSIONS
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Robustel R1510 3.1.16
Robustel R1510 3.3.0
PRODUCT URLS
R1510 - https://www.robustel.com/en/product/r1510-industrial-cellular-vpn-router/
CVSSv3 SCORE
9.1 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE
CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
DETAILS
The R1510 is an industrial cellular router. It offers several advanced software features like an innovative use of Open VPN, Cloud management, data over-use guard, smart reboot and others.
The R1510’s web_server offers an API to add, for the logged users, the SSH authorization keys.
Here is the /action/import_authorized_keys/ API that manages the imports of the SSH authorization keys:
void /action/import_authorized_keys/(Webs *webs)
{
[...]
memset(admin_ssh_folder,0,0x40);
user_username = uci_get("user_management.username");
snprintf(admin_ssh_folder,0x40,"/home/%s/.ssh",user_username);
iVar1 = dir_exists(admin_ssh_folder);
if (iVar1 == 0) {
sysprintf("mkdir -p %s",admin_ssh_folder);
sysprintf("chmod 700 %s",admin_ssh_folder);
}
iVar1 = scaselessmatch(webs->method,"POST");
if (iVar1 != 0) {
for (current_file = (WebsKey *)hashFirst(webs->files); current_file != (WebsKey *)0x0;
current_file = (WebsKey *)hashNext(webs->files,current_file)) {
sysprintf("cp -rf \"%s\" %s/authorized_keys",
((current_file->content).WebsUpload)->temp_filename,admin_ssh_folder); [1]
}
}
[...]
}
This function will fetch the admin-chosen username, create the /home/<ADMIN_USERNAME>/.ssh folder and set the right permissions for it. Then it will iterate over the request’s files and import those using the instruction at [1]. This instruction uses the sysprintf function that will first execute the vsnprintf function with the provided arguments, then use the output as argument for the system function. So, the instruction will copy the uploaded file from the temporary upload location to the /home/<ADMIN_USERNAME>/.ssh/authorized_keys folder, executing cp -rf “<TEMP_LOCATION>” /home/<ADMIN_USERNAME>/.ssh/authorized_keys.
The web_server offers the possibility to change the admin username. The API responsible to do so is /ajax/webs_uci_set_super_user/:
undefined4 /ajax/webs_uci_set_super_user/(Webs *webs)
{
[...]
new_username = websGetVar(webs,"new_username",0);
is_not_empty = string_is_not_empty(new_username);
if ((is_not_empty == 0) ||
(does_not_match = string_reg_verify(new_username,
"^[a-zA-Z0-9@\\#\\.\\$\\*\\!][a-zA-Z0-9@\\#\\.\\$\\*\\!\\-]{4,32 }$"
), does_not_match == 0)) { [2]
old_password = websGetVar(webs,"old_password",0);
is_error = string_reg_verify(old_password,
"^[a-zA-Z0-9@\\#\\.\\$\\*\\!][a-zA-Z0-9@\\#\\.\\$\\*\\!\\-]{4,32}$ "
);
if (is_error == 0) {
new_password = websGetVar(webs,"new_password",0);
is_error = string_reg_verify(new_password,
"^[a-zA-Z0-9@\\#\\.\\$\\*\\!][a-zA-Z0-9@\\#\\.\\$\\*\\!\\-]{4,32 }$"
);
if (is_error == 0) {
current_password = uci_get("user_management.password");
is_error = string_matched(old_password,current_password);
if (is_error == 0) {
websWrite(webs,"{name: \"%s\", reason: \"%s\"}","old_password","not match");
}
else {
is_error = string_is_not_empty(new_username);
if (((is_error == 0) ||
(is_error = uci_set("user_management.username",new_username), is_error == 0)) && [3]
(is_error = uci_set("user_management.password",new_password), iVar1 == 0)) {
res = "OK";
[...]
}
This function will take the request’s new_username parameter and checks at [2], if it is in a valid format. The same goes for the password parameters. Then, at [3], the new_username is committed as the new one.
Because the new_username valid format is ^[a-zA-Z0-9@\#\.\$\\!][a-zA-Z0-9@\#\.\$\\!\-]{4,32 }$, it is allowed to use special characters that can be interpreted in the unix shell. So, crafting a specific admin username and then using the /action/import_authorized_keys/ API would lead to a command injection at [1].
TIMELINE
2022-07-13 - Vendor Disclosure
2022-10-14 - Public Release
Discovered by Francesco Benvenuto of Cisco Talos.
Related news
Given the privileged position these devices occupy on the networks they serve, they are prime targets for attackers, so their security posture is of paramount importance.
Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. Cisco Talos recently discovered nine vulnerabilities in the Robustel R1510 industrial cellular router, several of which could allow an adversary to inject operating system code remotely. The Robustel R1510 router is a dual-ethernet port wireless router that shares 3G and 4G wireless signals for use in industrial and internet-of-things environments. The router includes the use of open VPN tunneling, a cloud management platform to manage other devices and routers and different safeguards to manage data caps. Talos discovered five operating system command injection vulnerabilities in the router that an adversary could trigger by sending the targeted device a specially crafted network request. All these vulnerabilities have a CVSS severity score of 9.1 out of 10: TALOS-2022-1578 (CVE-2022-34850) TALOS-2022-1577 (CVE-2022-33150) TALOS-2022-1576 (CVE-2022-32765) TALOS-2022-1573 (CVE-2022-33325 ...
Cisco Talos recently discovered nine vulnerabilities in the Robustel R1510 industrial cellular router, several of which could allow an adversary to inject operating system code remotely.