production: EX300_v2
version: V4.0.3c.140_B20210429
Vulnerability Type: RCE
A command injection was found in EX300_v2, V4.0.3c.140_B20210429. The update process cloudupdate_check of the router allows adjacent unauthenticated attackers to achieve remote code execution as root via a MitM attack.
cloudupdate_check will check whether there is new version from firmware server, and update config file /var/cloudupg.ini. Here we can perform a MITM attack and return malicious response to cloudupdate_check , and inject command in value magicid and url .
- post to firmware server to check new firmware
Since device requests by HTTP, so we can hijack dns request ,and the repeater will connect to the attacker server instead of legal one.
- cloudupdate_check
if ( !strncmp(Var, &a30, 3)
&& (v3 = websGetVar(a1, "mode", "0"), v4 = atoi(v3), (v5 = v4) != 0)
&& (inifile_set_int("/var/cloudupg.ini", "INFO", "mode", v4), url = (const char *)websGetVar(a1, &aUrl, ""), *url) )
{
inifile_set("/var/cloudupg.ini", "INFO", &aUrl, url);
magicid = (const char *)websGetVar(a1, "magicid", "");
v8 = (const char *)websGetVar(a1, "version", "");
v9 = (const char *)websGetVar(a1, "svn", "");
snprintf(buf, 256, "echo %s > /tmp/ActionMd5", magicid); //命令注入
system(buf);
snprintf(buf, 256, "echo %s > /tmp/DlFileUrl", url);//命令注入
system(buf);