CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
69.0%
An OS command injection vulnerability exists in the console infactory_wlan functionality of InHand Networks InRouter302 V3.5.37. A specially-crafted series of network requests can lead to remote code execution. An attacker can send a sequence of requests to trigger this vulnerability.
InHand Networks InRouter302 V3.5.37
InRouter302 - <https://www.inhandnetworks.com/products/inrouter300.html>
9.9 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE-78 - Improper Neutralization of Special Elements used in an OS Command (βOS Command Injectionβ)
The InRouter302 is an industrial LTE router. It features remote management functionalities and several security protection mechanism, such as: VPN technologies, firewall functionalities, authorization management and several other features.
The InRouter302 offers telnet and sshd services. Both, when provided with the correct credentials, will allow access to the Router console.
Here is the prompt after the login:
************************************************
Welcome to Router console
Inhand
Copyright @2001-2020, Beijing InHand Networks Co., Ltd.
http://www.inhandnetworks.com
------------------------------------------------
Model : IR302-WLAN
Serial Number : RF3022141057203
Description : www.inhandnetworks.com
Current Version : V3.5.37
Current Bootloader Version : 1.1.3.r4955
------------------------------------------------
get help for commands
------------------------------------------------
type '?' for detail help at any point
================================================
help -- get help for commands
language -- Set language
show -- show system information
exit -- exit current mode/console
ping -- ping test
comredirect -- COM redirector
telnet -- telnet to a host
traceroute -- trace route to a host
enable -- turn on privileged commands
infactory -- factory mode
Router>
The infactory
command permits, provided the correct password, the access to the factory mode view. This mode permits to change some configuration and performs various tests. The factory mode view:
Router> infactory
input password:
Router(factory)#
get help for commands
------------------------------------------------
type '?' for detail help at any point
================================================
help -- get help for commands
language -- Set language
exit -- exit current mode/console
reboot -- reboot system
factory-model -- hardware model configure
modem -- modem test
reset-key -- check the status of the reset button
com -- detecting serial ports
port -- FCT network port test
net -- complete machine network port test
led -- LED lights test
wlan -- Wi-Fi test
mem -- check memory
hw_wdg -- check the hardware watchdog status
dio -- detect digital I/O
stategridsec -- detect stategrid security chip
Router(factory)#
This mode offers several functionalities. For instance, the wlan
functionality allows to set the SSID on a specific network interface.
The wlan_functionality
:
undefined4 wlan_functionality(undefined4 param_1,char *args)
{
[...]
command_list[0] = args;
[...]
if (command_list[0] != (char *)0x0) {
first_arg = (char *)get_next_token(command_list);
if ((*first_arg != '\0') && (second_arg = (char *)get_next_token(command_list), *second_arg != '\0')) {
is_2g = strncmp(first_arg,"2g",2);
if (is_2g == 0) {
[... perform a setup ...]
is_status = strncmp(second_arg,"status",6);
if (is_status == 0) {
[...]
}
is_connect = strncmp(second_arg,"connect",7);
if (is_connect == 0) {
if (((command_list[0] != (char *)0x0) && (*command_list[0] != '\0')) &&
(third_arg = (char *)get_next_token(command_list), *third_arg != '\0')) { [1]
[...]
snprintf(&set_SSID_string,0x80,"iwpriv %s set SSID=\"%s\"",&interface_name,third_arg); [2]
system(&set_SSID_string); [3]
[...]
}
If the first and second provided arguments are 2g
and connect
, then the third one, parsed at [1]
, will be later used at [2]
to form the string iwpriv <interface> set SSID="<third_arg>"
. This string will be later used at [3]
as argument of the system
function.
The third argument is not properly sanitized, and a command injection can occur at [3]
. An attacker, able to reach the wlan
functionality, would be able to obtain a root shell.
Provided the command wlan 2g connect ;$(reboot)
, in the factory mode view, the device will reboot.
The vendor has updated their website and uploaded the latest firmware on it. https://inhandnetworks.com/product-security-advisories.html https://www.inhandnetworks.com/products/inrouter300.html#link4
https://www.inhandnetworks.com/upload/attachment/202205/10/InHand-PSA-2022-01.pdf
2022-03-30 - Vendor Disclosure
2022-05-10 - Public Release
2022-05-10 - Vendor Patch Release
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
69.0%