CVE-2023-28381: TALOS-2023-1779 || Cisco Talos Intelligence Group

SUMMARY

An OS command injection vulnerability exists in the admin.cgi MVPN_trial_init functionality of peplink Surf SOHO HW1 v6.3.5 (in QEMU). A specially crafted HTTP request can lead to command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Peplink Surf SOHO HW1 v6.3.5 (in QEMU)

PRODUCT URLS

Surf SOHO HW1 - https://www.peplink.com/products/soho-series-surf/

CVSSv3 SCORE

7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

DETAILS

The Surf series of SOHO routers is marketed as an entry-level router for use at home. It provides networking via USB cellular modems, ethernet and Wi-Fi. The device can host a VPN and supports Wi-Fi meshing.

The device hosts a webserver for configuration and control.

An OS command injection vulnerability exists in the handling of requests destined for the /cgi-bin/MANGA/admin.cgi endpoint, which are intended to initialize a trial of the MVPN feature. This endpoint is accessible only after successfully authenticating as a user with write privileges on the device. The vulnerability can only be reached if the device has been configured to use either mvpn_smoothing or mvpn_bonding. The HTTP POST request must have a parameter, section, with a value set to MVPN_trial_init in order to reach the vulnerable code.

The vulnerable function is located in the file admin.cgi at offset 0x4bb7b4 in firmware version 6.3.5, and we refer to it as MVPN_trial_init. An annotated decompilation of the function is included for reference.

int MVPN_trial_init()
{
  char debug[0x20] = {0};    
  char cmd[0x400] = {0};

  int is_llb = is_support_llb_trial();
  int mvpn_support_mode = get_mvpn_support_mode();
  char* trial_type;

  snprintf(&debug, 0x20, "%s", cgi_safe_param("debug"));  // [1] Command injection payload must fit within 0x20 bytes

  if (mvpn_support_mode == BONDING) {
    if (is_llb) {
        trial_type = "bonding_llb";
    } else {
        trial_type = "bonding";
    }
  }
  
  if (mvpn_support_mode == SMOOTHING) {
    if (is_llb) {
        trial_type = "smoothing_llb";
    } else {
        trial_type = "smoothing";
    }
  }
  
  if (mvpn_support_mode == BONDING || mvpn_support_mode == SMOOTHING) {  // [2] Smoothing or Bonding must be configured for MVPN in order to reach vulnerable code
    snprintf(cmd, 0x400, "/usr/local/ilink/bin/mvpn_trial_init %s %s > /dev/null 2>&1", trial_type, &debug);  // [3] Craft a command using attacker-controlled `debug` value
    if (system(cmd)) == 0) {  // [4] Execute the crafted command as root
        return 1;
    }
  }
  
  xml_error("Unable to start trial. Please try again later.");
  return 0;
}

Observe at [1] that the first 0x20 bytes of the HTTP POST param debug are extracted into the debug stack variable. If the configuration check at [2] is passed, the command is crafted at [3] by directly injecting the attacker-controlled value. Finally, at [4], the command is executed with root privileges. A properly formatted request can escape the intended command and execute arbitrary commands.

TIMELINE

2023-06-26 - Initial Vendor Contact
2023-06-27 - Vendor Disclosure
2023-10-11 - Public Release

Discovered by Matt Wiseman of Cisco Talos.