Multiple command injection vulnerabilities exist in the web_server action endpoints functionalities of Robustel R1510 3.3.0. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.The `/action/import_cert_file/` API is affected by command injection vulnerability.

**Summary**

Multiple command injection vulnerabilities exist in the web\_server action endpoints functionalities of Robustel R1510 3.3.0. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.

**Tested Versions**

Robustel R1510 3.3.0

**Product URLs**

R1510 - https://www.robustel.com/en/product/r1510-industrial-cellular-vpn-router/

**CVSSv3 Score**

9.1 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

**Details**

The R1510 is an industrial cellular router. It offers several advanced software like an innovative use of Open VPN, Cloud management, data over-use guard, smart reboot and others.

The R1510 has a web server that manages several endpoints. One group of endpoints have the following form /action/<API_endpoint>/. Several of those endpoints use unsafe functions with user provided parameters, like the standard system function, and a custom one called sysprintf.

Here it is sysprintf:

    void sysprintf(char *format_string,char *param_2,char *char*,char *param_4)
    
    {
      [...]
    
      va_list_ptr = va_list;
      va_list[0] = param_2;
      va_list[1] = char*;
      va_list[2] = param_4;
      vsnprintf(shell_command,0x200,format_string,va_list_ptr);                                             [1]
      system(shell_command);                                                                                [2]
      return;
    }
    

At [1] a string is formatted, using the first argument of the function as format string and the others parameters as format string arguments. If one of the argument is controllable by an attacker a command injection would occur at [2].

**CVE-2022-33312 - /action/import\_cert\_file/ command injection**

This command injection is in the /action/import_cert_file/ API.

The function that handles that endpoint is:

    void /action/import_cert_file/(Webs *webs)
    
    {
     [...]
    
      [...]
          path = (char *)websGetVar(webs,"path",0);                                                         [3]
          if ((path != (char *)0x0) &&
             (target_file = websGetVar(webs,"target_file",0), target_file != 0)) {
            hash = scaselessmatch(webs->method,"POST");
            iVar7 = 0;
            if (hash != 0) {
              pWVar1 = hashFirst((char)webs->files);
              while (pWVar1 != (WebsKey *)0x0) {
                ppcVar9 = *(char ***)&(pWVar1->content).value;
                hash = dir_exists(path);                                                                    [4]
                if (hash == 0) {
                  sysprintf("mkdir -p %s",path);                                                            [5]
                }
                [...]
     }            At `[3]` the variable `path` is fetched, then at `[4]` it is checked if its value correspond to an existing directory. If the directory does not exist the value will be used, at `[5]`, as argument of the `sysprintf` function. This can lead to a command injection.
    

**CVE-2022-33313 - /action/import\_https\_cert\_file/ command injection**

This command injection is in the /action/import_https_cert_file/ API.

The function that handles that endpoint is:

    void /action/import_https_cert_file/(Webs *webs)
    
    {
      [...]
    
      [...]
          type_var = websGetVar(webs,"type",0);
          path_var = websGetVar(webs,"path",0);                                                             [6]
          if ((type_var != 0) && (path_var != 0)) {
            iVar1 = scaselessmatch(webs->method,"POST");
            if (iVar1 != 0) {
              pWVar2 = hashFirst((char)webs->files);
              while (pWVar2 != (WebsKey *)0x0) {
                uploaded_location = *(undefined4 **)&(pWVar2->content).value;
                iVar1 = string_matched(type_var,"ca");
                if (iVar1 == 0) {
                  iVar1 = string_matched(type_var,"private_key");
                  if (iVar1 != 0) {
                    path_formatted_value = "%s/server.key";
                    goto LAB_00481458;
                  }
                }
                else {
                  path_formatted_value = "%s/server.crt";
    LAB_00481458:
                  path_formatted_value = (char *)sfmt(path_formatted_value,path_var);                       [7]
                }
                if (path_formatted_value != (char *)0x0) {
                  sysprintf("mv %s %s -f",*uploaded_location,path_formatted_value);                         [8]
                  [...]
    }
    

At [6] the variable path is fetched, then at [7] it is used as argument to format a string based on another provided variable. The formatted string is then used at [8] as argument for the sysprintf function. This can lead to a command injection.

**CVE-2022-33314 - /action/import\_sdk\_file/ command injection**

This command injection is in the /action/import_sdk_file/ API.

The function that handles that endpoint is:

    void /action/import_sdk_file/(Webs *webs)
    
    {
      [...]
    
      [...]
          path_param = websGetVar(webs,"path",0);                                                           [9]
          if (path_param != 0) {
            websSetStatus(webs,200);
            websWriteHeaders(webs,0xffffffff,0);
            websWriteHeader(webs,"Content-Type","text/html");
            websWriteEndHeaders(webs);
            iVar1 = scaselessmatch(webs->method,"POST");
            if (iVar1 != 0) {
              pWVar4 = hashFirst((char)webs->files);
              while (pWVar4 != (WebsKey *)0x0) {
                ppcVar8 = *(char ***)&(pWVar4->content).value;
                iVar1 = dir_exists(path_param);                                                             [10]
                if (iVar1 == 0) {
                  sysprintf("mkdir -p %s",path_param);                                                      [11]
                }
                [...]
    }            
    

At [9] the variable path is fetched, then at [10] it is checked if its value correspond to an existing directory. If the directory does not exist the value will be used, at [11] as argument of the sysprintf function. This can lead to a command injection.

**Timeline**

2022-06-27 - Initial vendor contact  
2022-06-28 - Vendor Disclosure  
2022-06-30 - Public Release  

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2022-33312: TALOS-2022-1572 || Cisco Talos Intelligence Group

Multiple command injection vulnerabilities exist in the web_server ajax endpoints functionalities of Robustel R1510 3.3.0. A specially-crafted network packets can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.The `/ajax/clear_tools_log/` API is affected by command injection vulnerability.

**Summary**

Multiple command injection vulnerabilities exist in the web\_server ajax endpoints functionalities of Robustel R1510 3.3.0. A specially-crafted network packets can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.

**Tested Versions**

Robustel R1510 3.3.0

**Product URLs**

R1510 - https://www.robustel.com/en/product/r1510-industrial-cellular-vpn-router/

**CVSSv3 Score**

9.1 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

**Details**

The R1510 is an industrial cellular router. It offers several advanced software like an innovative use of Open VPN, Cloud management, data over-use guard, smart reboot and others

The R1510 has a web server that manages several endpoints. One group of endpoints have the following form /ajax/<API_endpoint>/. Several of those endpoints use unsafe functions with user provided parameters, like the standard system function, and a custom one called sysprintf.

Here it is sysprintf:

    void sysprintf(char *format_string,char *param_2,char *char*,char *param_4)
    
    {
      [...]
    
      va_list_ptr = va_list;
      va_list[0] = param_2;
      va_list[1] = char*;
      va_list[2] = param_4;
      vsnprintf(shell_command,0x200,format_string,va_list_ptr);                                             [1]
      system(shell_command);                                                                                [2]
      return;
    }
    

At [1] a string is formatted, using the first argument of the function as format string and the others parameters as format string arguments. If one of the argument is controllable by an attacker a command injection would occur at [2].

**CVE-2022-33325 - /ajax/clear\_tools\_log/ command injection**

This command injection is in the /ajax/clear_tools_log/ API.

The function that handles that endpoint is:

    undefined4 /ajax/clear_tools_log/(Webs *webs)
    
    {
      [...]
    
      [...]
          tools_name = (char *)websGetVar(webs,"tools_name",0);                                             [3]
          iVar1 = string_is_not_empty(tools_name);
          if (iVar1 != 0) {
            TOOLS_LOG_FILE_MARK = websGetSessionVar(webs,"_:TOOLS_LOG_FILE_MARK:_","0");
            pcVar5 = (char *)sfmt("rm %s/wlf_%s_%s.log -rf","/tmp/log/tools",tools_name,                    [4]
                                  TOOLS_LOG_FILE_MARK);
            iVar1 = system(pcVar5);                                                                         [5]
            [...]
    

At [3] the tools_name variable is fetched and then, at [4], used to format a string. The formatted string is then used at [5] as argument for the system function. This can lead to a command injection.

**CVE-2022-33326 - /ajax/config\_rollback/ command injection**

This command injection is in the /ajax/config_rollback/ API.

The function that handles that endpoint is:

    undefined4 /ajax/config_rollback/(Webs *webs)
    
    {
      [...]
    
      [...]
            archive_param = websGetVar(webs,"archive",0);                                                   [6]
            iVar4 = dir_exists("/app/config/rollback_archive");
            iVar1 = -1;
            if (iVar4 != 0) {
              sysprintf("mkdir -p %s","/tmp/config_rollback");
              iVar1 = sysprintf("tar -C %s -zxf %s/%s.tgz && uci -c import %s/config.xml && rm %s -rf",
                                "/tmp/config_rollback","/app/config/rollback_archive",archive_param,
                                "/tmp/config_rollback","/tmp/config_rollback");                             [7]
              iVar1 = -(uint)(iVar1 != 0);
            }
    

At [6] the archive variable is fetched and then used as argument of the sysprintf function at [7]. This can lead to a command injection.

**CVE-2022-33327 - /ajax/remove\_sniffer\_raw\_log/ command injection**

This command injection is in the /ajax/remove_sniffer_raw_log/ API.

The function that handles that endpoint is:

    undefined4 /ajax/remove_sniffer_raw_log/(Webs *webs)
    
    {
      [...]
    
      [...]
          file_name = (char *)websGetVar(webs,"file_name",0);                                               [8]
          if ((file_name != (char *)0x0) && (pcVar5 = strstr(file_name,".."), pcVar5 == (char *)0x0)) {
            shell_command = (char *)sfmt("rm %s/%s -rf","/tmp/log/sniffer",file_name);                      [9]
            iVar1 = system(shell_command);                                                                  [10]
            [...]
    

At [8] the file_name variable is fetched and then, at [9], used to format a string. The formatted string is then used at [10] as argument for the system function. This can lead to a command injection.

**CVE-2022-33328 - /ajax/remove/ command injection**

This command injection is in the /ajax/remove/ API.

The function that handles that endpoint is:

    undefined4 /ajax/remove/(Webs *webs)
    
    {
      [...]
    
      [...]
          file_name = (char *)websGetVar(webs,"file_name",0);                                               [11]
          if ((file_name != (char *)0x0) &&
             (shell_command = strstr(file_name,".."), shell_command == (char *)0x0)) {
            shell_command = (char *)sfmt("rm %s -rf",file_name);                                            [12]
            iVar1 = system(shell_command);                                                                  [13]
            [...]
    }
    

At [11] the file_name variable is fetched and then, at [12], used to format a string. The formatted string is then used at [13] as argument for the system function. This can lead to a command injection.

**CVE-2022-33329 - /ajax/set\_sys\_time/ command injection**

This command injection is in the /ajax/set_sys_time/ API.

The function that handles that endpoint is:

    undefined4 /ajax/set_sys_time/(Webs *webs)
    
    {
      [...]
    
      [...]
          date = websGetVar(webs,"date",0);                                                                 [14]
          if ((date != 0) && (iVar3 = string_is_empty(date), iVar3 == 0)) {
            sysprintf("date \"%s\"",date);                                                                  [15]
            [...]
    }
    

At [14] the date variable is fetched and then used at [15] as argument of the sysprintf function. This can lead to a command injection.

**Timeline**

2022-06-27 - Initial vendor contact  
2022-06-28 - Vendor Disclosure  
2022-06-30 - Public Release  

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2022-33325: TALOS-2022-1573 || Cisco Talos Intelligence Group

A cross-site request forgery (CSRF) vulnerability in Jenkins Deployment Dashboard Plugin 1.0.10 and earlier allows attackers to connect to an attacker-specified HTTP URL using attacker-specified credentials.

CVE-2022-34797: Jenkins Security Advisory 2022-06-30

Jenkins Build Notifications Plugin 1.5.0 and earlier stores tokens unencrypted in its global configuration files on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CVE-2022-34800: Jenkins Security Advisory 2022-06-30

Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2022-34777: Jenkins Security Advisory 2022-06-30

Jenkins Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs.

CVE-2022-34786: Jenkins Security Advisory 2022-06-30

Jenkins Failed Job Deactivator Plugin 1.2.1 and earlier does not perform permission checks in several views and HTTP endpoints, allowing attackers with Overall/Read permission to disable jobs.

CVE-2022-34818: Jenkins Security Advisory 2022-06-30

Jenkins RocketChat Notifier Plugin 1.5.2 and earlier stores the login password and webhook token unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

CVE-2022-34802: Jenkins Security Advisory 2022-06-30

A cross-site request forgery (CSRF) vulnerability in Jenkins Request Rename Or Delete Plugin 1.1.0 and earlier allows attackers to accept pending requests, thereby renaming or deleting jobs.

CVE-2022-34815: Jenkins Security Advisory 2022-06-30

Jenkins Jigomerge Plugin 0.9 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

Tag

#cisco