CVE-2022-45600
| CVE URL: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45600 |
|---|---|
| Reported by: | TanYeeTat |
| Product: | Aztech WMB250AC Wireless Mesh Routers |
| Affected Firmware: | 2020 Release (topaz-linux.lzma.img) |
| Firmware download: | closed source |
Product Manual: https://kylaconnect.com/download-center/
Vulnerability was reported to Aztech's security team via security@aztech.com on 7th June 2022, with no response as of 21st February 2023
Vulnerability Details
A Command Injection vulnerability (that leads to Privilege Escalation) exists in multiple webpages (list below), that allows a web-authenticated user to execute arbitrary shell commands on the device as the root user. The root user account could not be accessed in any other conventional methods (e.g., Telnet), and has been locked down by the firmware's configuration. This vulnerability bypasses that configuration and escalates an attacker's privileges to root.
List of affected webpages
- Line
283instatus_wireless.php - Line
54inconfig_wps.php - Line
81inassoc_table.php - Line
55inconfig_macfilter.php - Line
54inconfig_wps.php
There is a lack of input validation and sanitization in the above list of web pages affecting the processing of a GET parameter,id, which is fed into a shell command that is executed as the root user. Command injection is performed by terminating the preceeding legitimate shell command with a semicolon ;, followed by an arbitrary shell command to inject.
Snippet of retrieving the
GETparameterid
- the value of
idis stored intointerface_idvariable
Further down the PHP codes, the
interface_idis fed into multipleexec()calls without validation or sanitization
Proof of Concept
The following steps will list how to reproduce this vulnerability
- Start the product physically or emulated
- Modify the PoC bash script's credentials to authenticate to the web service
- Execute the PoC bash script to obtain a
rootshell on the device



