This is a short exploit script I wrote to serve as a Proof of Concept for an authenticated command injection vulnerability I found in the DPC3848VM gateway, which is an old Cisco router/modem from around 2014.
git clone https://github.com/Ostoic/dpcpwn
cd dpcpwn
pip3 install -r requirements.txt
Tested on firmware:
- dpc3800-v303r2042162-160620a
- dpc3800-v303r204318-210209a (buildtime 2021-02-09 08:55:20 UTC)
The ping function of the router management website does not properly sanitize user-controlled input. This can lead to remote code execution as this allows one to inject arbitrary text into a string that is to be executed on the device as a command-line script.
In the picture below is the diagnostics page which is available to authenticated users. The "Ping Target IPv4" field has 4 input boxes which allows users to type numbers in each to form an ip address.
After the ping test is finished running, the following is seen at the bottom of the page
The post request for the ping function looks as follows
Of note is the ping_dst parameter in the request body. What if one were to write an arbitrary command into that parameter? Surely user input is sanitized, right?
We can reasonably guess that the ping_dst parameter is substituted into a shell command of the form "/bin/sh -c ping {ping_dst}", so if we craft our input carefully we can execute any command we like. An easy way to do this without having to worry about syntax errors is to use bash command substitution $(id) or `id`.
This exploit is quite simple, so it's reasonable to assume that this vulnerability has already been exploited in the wild. It allows one to execute any OS command as root, as that is the user the php-cgi binary is ran as. Moreover, it is easy to intercept all (LAN, WAN, etc) network traffic with tcpdump, allowing for stealthy passive monitoring of network traffic.