Headline
CVE-2023-35193: TALOS-2023-1782 || Cisco Talos Intelligence Group
An OS command injection vulnerability exists in the api.cgi cmd.mvpn.x509.write functionality of peplink Surf SOHO HW1 v6.3.5 (in QEMU). A specially crafted HTTP request can lead to command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.This vulnerability is specifically for the system
call in the file /web/MANGA/cgi-bin/api.cgi
for firmware version 6.3.5 at offset 0x4bddb8.
SUMMARY
An OS command injection vulnerability exists in the api.cgi cmd.mvpn.x509.write functionality of peplink Surf SOHO HW1 v6.3.5 (in QEMU). A specially crafted HTTP request can lead to command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.
CONFIRMED VULNERABLE VERSIONS
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Peplink Surf SOHO HW1 v6.3.5 (in QEMU)
PRODUCT URLS
Surf SOHO HW1 - https://www.peplink.com/products/soho-series-surf/
CVSSv3 SCORE
7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE
CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
DETAILS
The Surf series of SOHO routers is marketed as an entry-level router for use at home. It provides networking via USB cellular modems, ethernet and Wi-Fi. The device can host a VPN and supports Wi-Fi meshing.
The device hosts a web interface for administrative configuration. An OS command injection vulnerability exists in the handling of requests destined for the /cgi-bin/MANGA/api.cgi endpoint which are intended to interact with the x509 certificate configuration feature. This endpoint is accessible only after successfully authenticating as a user with write privileges on the device. The HTTP POST request must have a parameter, func, whose value is set to cmd.mvpn.x509.write in order to reach the vulnerable code.
The vulnerable function is located in the file api.cgi at offset 0x4bdd1c in firmware version 6.3.5, and is referred to as xml_submit_x509_overwrite_mvpn_self. This function is called from the API handler associated with cmd.mvpn.x509.write, which simply extracts three HTTP POST parameters (cert, key, pw) and passes them to the vulnerable function. An annotated decompilation of the function is included for reference.
int xml_submit_x509_overwrite_mvpn_self(char* cert, char* key, char* pw)
{
char cmd[0x400] = {0};
int result = 0;
if (cert == 0)
{
result = 9;
} else {
result = 9;
if (key != 0 && pw != 0)
{
snprintf(&cmd, 0x400, "/usr/local/ilink/bin/certificate_helper check_pk %s %s \"%s\" >/dev/null 2>&1", cert, key, __sh_escape(pw)); // [1] Craft an OS command using the unchecked, attacker-controlled cert and key parameters
if (system(&var_418) != 0) { // [2] Execute the command with root privileges
return 2;
}
snprintf(&cmd, 0x400, "/usr/local/ilink/bin/certificate_helper save_self_cert %s %s \"%s\" > /dev/null 2>&1", cert, key, __sh_escape(pw)); // [3] Craft another OS command using the unchecked, attacker-controlled cert and key parameters
result = 0 < system(&cmd) ? 1 : 0; // [4] Execute another command with root privileges
}
}
return result;
}
CVE-2023-35193 - check_pk
Observe at [1] that an OS command is crafted using the attacker-controlled cert and key parameters. Of interest is that the pw parameter is checked prior to usage. The command is executed at [2] with root privileges.
CVE-2023-35194 - save_self_cert
If the result of the check_pk step is successful, the same thing occurs again at [3] and [4]. A properly formatted request can escape the intended command and execute arbitrary commands.
TIMELINE
2023-06-26 - Initial Vendor Contact
2023-06-27 - Vendor Disclosure
2023-10-11 - Public Release
Discovered by Matt Wiseman of Cisco Talos.
Related news
Attackers could exploit these vulnerabilities in the SoftEther VPN solution for individual and enterprise users to force users to drop their connections or execute arbitrary code on the targeted machine.