New Bug in Router NR1800X — Command injection via setUssd

IoT 1年前 (2022) admin
613 0 0

Hi and welcome to all readers of this post.

In a Mitre publication, a vulnerability of a TOTOLink NR1800X router (CVE-2022–41525) version V9.1.0u.6279_B20210910 appeared, which caught my attention so I kept learning more about the vulnerability.

Vendor — https://www.totolink.net

Wrapping up a bit more on the reported vulnerability, I proceeded to do some tests like emulating the firmware and starting my script in Ghidra to identify other potentially dangerous functions (Rce / BoF).

As a result I get a large list of promising functions (strcpy / system / etc). One of them is highlighted in the image (0x0041a68c), pointing to the function that contains the vulnerability.

New Bug in Router NR1800X — Command injection via setUssd

After I’ve already used Ghidra, I continued to analyze the binary cstecgi.cgi in IDA. (The use of multiple tools is only for convenience).

Starting with the analysis on the function we can quickly see the vulnerability where the v17 buffer is formatted on line 26 and then sent as a parameter by the system() function.

New Bug in Router NR1800X — Command injection via setUssd

After finding out what the function name (setUssd) that executes the ussdaction, I was able to recreate a payload in burpSuite to start the telnetd service on the router.

New Bug in Router NR1800X — Command injection via setUssd

Finally develop the exploit by concatenating two vulnerabilities. The first is a request to bypass authentication, which gets the session to be sent to the second request that exploits code execution.

New Bug in Router NR1800X — Command injection via setUssd

Poc Video

https://www.youtube.com/watch?v=Mcutnejlepk

 

原文始发于Miguel Méndez Z.:New Bug in Router NR1800X — Command injection via setUssd

版权声明:admin 发表于 2022年11月17日 下午12:08。
转载请注明:New Bug in Router NR1800X — Command injection via setUssd | CTF导航

相关文章

暂无评论

您必须登录才能参与评论!
立即登录
暂无评论...