Router-CVEs
/
CVE-2023-33381-MitraStar-GPT-2741GNAC
mirror of https://github.com/duality084/CVE-2023-33381-MitraStar-GPT-2741GNAC.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
CVE-2023-33381: OS command injection on MitraStar GPT-2741GNAC
12 Commits 1 Branch 0 Tags 42 KiB
Go to file
duality084 8d9a5a23cc
Update README.md 		2023-06-01 19:52:13 -03:00
README.md Update README.md 2023-06-01 19:52:13 -03:00

README.md

CVE-2023-33381-MitraStar-GPT-2741GNAC

CVE-2023-33381: OS command injection on MitraStar GPT-2741GNAC

Device: GPT-2741GNAC

Firmware Version: AR_g5.8_110WVN0b7_2

Vulnerability Description:

Upon logging in via SSH, I immediately noticed the limited set of available commands and options. It became evident that I was indeed confined to a restricted shell environment.

image

After exploring several known vulnerabilities, I decided to delve into the search for new ones. To begin, I logged into the administrative portal and began testing various functionalities that could potentially result in OS command injection. Within the Diagnostic menu, I came across a particular feature that allowed me to test connectivity using the ping and traceroute commands.

image

image

So, I decided to try something sneaky by adding a ";" character to my command. I executed "cat /etc/passwd" and guess what? The command ran successfully.

image

I took it a step further and executed the "sed" command to replace the restricted shell entry in the "/etc/passwd" file with a full interactive shell.

image

As clearly illustrated in the image below, the modifications I made have enabled me to login and freely execute commands like "uname" and "cat"

image

Root of cause

Since I had complete admin privileges, I couldn't resist delving deeper to uncover the vulnerable component. While inspecting the browser requests, I noticed something interesting. There were two CGI files, "ping.cgi" and "DiagGeneral.cgi", being targeted by the requests.

image

After grabbing the files, I had some fun with reverse engineering using Ghidra. Here's the interesting part: in the "ping.cgi" file, I noticed that the PingIPAddr parameter was being directly taken from user input without any proper sanitization. The PingIPAddr parameter grabbed from user input was stored for future use utilizing the tcapi_set function.

image

Lastly, in the DiagGeneral.cgi file the PingIPAddr parameter was retrieved using the tcapi_get function and then directly used in the system function without any sanitization. This flaw creates a command injection vulnerability, enabling unauthorized execution of arbitrary commands on the system.

image