Lucene search

K

Talos IntelligenceTALOS-2022-1573

HistoryJun 30, 2022 - 12:00 a.m.

Robustel R1510 web_server ajax endpoints OS command injection vulnerabilities

2022-06-3000:00:00

Talos Intelligence

www.talosintelligence.com

15

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.003 Low

EPSS

Percentile

65.4%

Summary

Multiple command injection vulnerabilities exist in the web_server ajax endpoints functionalities of Robustel R1510 3.3.0. A specially-crafted network packets can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.

Tested Versions

Robustel R1510 3.3.0

Product URLs

R1510 - <https://www.robustel.com/en/product/r1510-industrial-cellular-vpn-router/>

CVSSv3 Score

9.1 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

Details

The R1510 is an industrial cellular router. It offers several advanced software like an innovative use of Open VPN, Cloud management, data over-use guard, smart reboot and others

The R1510 has a web server that manages several endpoints. One group of endpoints have the following form /ajax/<API_endpoint>/. Several of those endpoints use unsafe functions with user provided parameters, like the standard system function, and a custom one called sysprintf.

Here it is sysprintf:

void sysprintf(char *format_string,char *param_2,char *char*,char *param_4)

{
  [...]

  va_list_ptr = va_list;
  va_list[0] = param_2;
  va_list[1] = char*;
  va_list[2] = param_4;
  vsnprintf(shell_command,0x200,format_string,va_list_ptr);                                             [1]
  system(shell_command);                                                                                [2]
  return;
}

At [1] a string is formatted, using the first argument of the function as format string and the others parameters as format string arguments. If one of the argument is controllable by an attacker a command injection would occur at [2].

CVE-2022-33325 - /ajax/clear_tools_log/ command injection

This command injection is in the /ajax/clear_tools_log/ API.

The function that handles that endpoint is:

undefined4 /ajax/clear_tools_log/(Webs *webs)

{
  [...]

  [...]
      tools_name = (char *)websGetVar(webs,"tools_name",0);                                             [3]
      iVar1 = string_is_not_empty(tools_name);
      if (iVar1 != 0) {
        TOOLS_LOG_FILE_MARK = websGetSessionVar(webs,"_:TOOLS_LOG_FILE_MARK:_","0");
        pcVar5 = (char *)sfmt("rm %s/wlf_%s_%s.log -rf","/tmp/log/tools",tools_name,                    [4]
                              TOOLS_LOG_FILE_MARK);
        iVar1 = system(pcVar5);                                                                         [5]
        [...]

At [3] the tools_name variable is fetched and then, at [4], used to format a string. The formatted string is then used at [5] as argument for the system function. This can lead to a command injection.

CVE-2022-33326 - /ajax/config_rollback/ command injection

This command injection is in the /ajax/config_rollback/ API.

The function that handles that endpoint is:

undefined4 /ajax/config_rollback/(Webs *webs)

{
  [...]

  [...]
        archive_param = websGetVar(webs,"archive",0);                                                   [6]
        iVar4 = dir_exists("/app/config/rollback_archive");
        iVar1 = -1;
        if (iVar4 != 0) {
          sysprintf("mkdir -p %s","/tmp/config_rollback");
          iVar1 = sysprintf("tar -C %s -zxf %s/%s.tgz && uci -c import %s/config.xml && rm %s -rf",
                            "/tmp/config_rollback","/app/config/rollback_archive",archive_param,
                            "/tmp/config_rollback","/tmp/config_rollback");                             [7]
          iVar1 = -(uint)(iVar1 != 0);
        }

At [6] the archive variable is fetched and then used as argument of the sysprintf function at [7]. This can lead to a command injection.

CVE-2022-33327 - /ajax/remove_sniffer_raw_log/ command injection

This command injection is in the /ajax/remove_sniffer_raw_log/ API.

The function that handles that endpoint is:

undefined4 /ajax/remove_sniffer_raw_log/(Webs *webs)

{
  [...]

  [...]
      file_name = (char *)websGetVar(webs,"file_name",0);                                               [8]
      if ((file_name != (char *)0x0) && (pcVar5 = strstr(file_name,".."), pcVar5 == (char *)0x0)) {
        shell_command = (char *)sfmt("rm %s/%s -rf","/tmp/log/sniffer",file_name);                      [9]
        iVar1 = system(shell_command);                                                                  [10]
        [...]

At [8] the file_name variable is fetched and then, at [9], used to format a string. The formatted string is then used at [10] as argument for the system function. This can lead to a command injection.

CVE-2022-33328 - /ajax/remove/ command injection

This command injection is in the /ajax/remove/ API.

The function that handles that endpoint is:

undefined4 /ajax/remove/(Webs *webs)

{
  [...]

  [...]
      file_name = (char *)websGetVar(webs,"file_name",0);                                               [11]
      if ((file_name != (char *)0x0) &&
         (shell_command = strstr(file_name,".."), shell_command == (char *)0x0)) {
        shell_command = (char *)sfmt("rm %s -rf",file_name);                                            [12]
        iVar1 = system(shell_command);                                                                  [13]
        [...]
}

At [11] the file_name variable is fetched and then, at [12], used to format a string. The formatted string is then used at [13] as argument for the system function. This can lead to a command injection.

CVE-2022-33329 - /ajax/set_sys_time/ command injection

This command injection is in the /ajax/set_sys_time/ API.

The function that handles that endpoint is:

undefined4 /ajax/set_sys_time/(Webs *webs)

{
  [...]

  [...]
      date = websGetVar(webs,"date",0);                                                                 [14]
      if ((date != 0) && (iVar3 = string_is_empty(date), iVar3 == 0)) {
        sysprintf("date \"%s\"",date);                                                                  [15]
        [...]
}

At [14] the date variable is fetched and then used at [15] as argument of the sysprintf function. This can lead to a command injection.

Timeline

2022-06-27 - Initial vendor contact
2022-06-28 - Vendor Disclosure
2022-06-30 - Public Release

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.003 Low

EPSS

Percentile

65.4%

Related for TALOS-2022-1573

prion5 cve5 talosblog3