CVE-2023-35193: TALOS-2023-1782 || Cisco Talos Intelligence Group

SUMMARY

An OS command injection vulnerability exists in the api.cgi cmd.mvpn.x509.write functionality of peplink Surf SOHO HW1 v6.3.5 (in QEMU). A specially crafted HTTP request can lead to command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Peplink Surf SOHO HW1 v6.3.5 (in QEMU)

PRODUCT URLS

Surf SOHO HW1 - https://www.peplink.com/products/soho-series-surf/

CVSSv3 SCORE

7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

DETAILS

The Surf series of SOHO routers is marketed as an entry-level router for use at home. It provides networking via USB cellular modems, ethernet and Wi-Fi. The device can host a VPN and supports Wi-Fi meshing.

The device hosts a web interface for administrative configuration. An OS command injection vulnerability exists in the handling of requests destined for the /cgi-bin/MANGA/api.cgi endpoint which are intended to interact with the x509 certificate configuration feature. This endpoint is accessible only after successfully authenticating as a user with write privileges on the device. The HTTP POST request must have a parameter, func, whose value is set to cmd.mvpn.x509.write in order to reach the vulnerable code.

The vulnerable function is located in the file api.cgi at offset 0x4bdd1c in firmware version 6.3.5, and is referred to as xml_submit_x509_overwrite_mvpn_self. This function is called from the API handler associated with cmd.mvpn.x509.write, which simply extracts three HTTP POST parameters (cert, key, pw) and passes them to the vulnerable function. An annotated decompilation of the function is included for reference.

int xml_submit_x509_overwrite_mvpn_self(char* cert, char* key, char* pw)
{
    char cmd[0x400] = {0};
    int result = 0;
    if (cert == 0)
    {
        result = 9;
    } else {
        result = 9;
        if (key != 0 && pw != 0)
        {
            snprintf(&cmd, 0x400, "/usr/local/ilink/bin/certificate_helper check_pk %s %s \"%s\" >/dev/null 2>&1", cert, key, __sh_escape(pw));  // [1] Craft an OS command using the unchecked, attacker-controlled cert and key parameters
            if (system(&var_418) != 0) {  // [2] Execute the command with root privileges
                return 2;
            }

            snprintf(&cmd, 0x400, "/usr/local/ilink/bin/certificate_helper save_self_cert %s %s \"%s\" > /dev/null 2>&1", cert, key, __sh_escape(pw));  // [3] Craft another OS command using the unchecked, attacker-controlled cert and key parameters
            result = 0 < system(&cmd) ? 1 : 0;  // [4] Execute another command with root privileges
        }
    } 
    return result;
}

CVE-2023-35193 - check_pk

Observe at [1] that an OS command is crafted using the attacker-controlled cert and key parameters. Of interest is that the pw parameter is checked prior to usage. The command is executed at [2] with root privileges.

CVE-2023-35194 - save_self_cert

If the result of the check_pk step is successful, the same thing occurs again at [3] and [4]. A properly formatted request can escape the intended command and execute arbitrary commands.

TIMELINE

2023-06-26 - Initial Vendor Contact
2023-06-27 - Vendor Disclosure
2023-10-11 - Public Release

Discovered by Matt Wiseman of Cisco Talos.