History of one NOT vulnerability
Some time ago I had the opportunity to experiment with the settings of one mediocre router. The fact is that the first of April obliged me to play my comrades from the university. The university had a Wi-Fi network. I decided to raise a fake network on my router (set a name, password and set the MAC address of one of the legitimate access points), run my DNS, web server on my laptop. Everyone who accidentally connected to my network and tried to access any site had to be redirected to my page with an April Fool's picture. But the story is not about that. When I was tinkering about the settings of the router, I found an interesting bug, and I’ll tell you about it today.
At the stage of setting up the router was connected to the Internet. But for some reason, devices connected to Wi-Fi did not receive Internet. I got to understand. In the panel of the router there was a tab with the ability to use the ping utility, so telnet can not be turned on (I hope all readers understand the danger of telnet being opened outside?). The form looked like this:
')
This feature is implemented as follows. The router program receives from the user a line containing the address, then inserts the ping command into the line:
How well does the router check the string containing the address? It was this question that arose in my head. Then I substituted the ampersand and the ls command . Got this:
On UNIX systems, we can force bash to execute a command in the background, substituting an ampersand after it. In this case, we can substitute a command after the ampersand, and it will be executed simultaneously with the first one. What I used in this case. Substituting "8.8.8.8 & ls", I received "ping -c 3 8.8.8.8 & ls". The router simultaneously executed the ping and ls commands. Then brought the result.
Had this bug been allowed elsewhere, it would have become a very serious threat. After all, such a vulnerability would help an attacker to force the router to execute any command, or even get complete control over the device. Such vulnerabilities are classified as CWE-78 (OS Command Injection) .
I could not sit still, and I hurried to write to the manufacturer about the found bug. I described in detail the model of the router, the firmware version and the script for playing the bug. I received an interesting answer:
At the stage of setting up the router was connected to the Internet. But for some reason, devices connected to Wi-Fi did not receive Internet. I got to understand. In the panel of the router there was a tab with the ability to use the ping utility, so telnet can not be turned on (I hope all readers understand the danger of telnet being opened outside?). The form looked like this:
')
This feature is implemented as follows. The router program receives from the user a line containing the address, then inserts the ping command into the line:
ping -c < > <> How well does the router check the string containing the address? It was this question that arose in my head. Then I substituted the ampersand and the ls command . Got this:
For those who are not in the tank
On UNIX systems, we can force bash to execute a command in the background, substituting an ampersand after it. In this case, we can substitute a command after the ampersand, and it will be executed simultaneously with the first one. What I used in this case. Substituting "8.8.8.8 & ls", I received "ping -c 3 8.8.8.8 & ls". The router simultaneously executed the ping and ls commands. Then brought the result.
Had this bug been allowed elsewhere, it would have become a very serious threat. After all, such a vulnerability would help an attacker to force the router to execute any command, or even get complete control over the device. Such vulnerabilities are classified as CWE-78 (OS Command Injection) .
I could not sit still, and I hurried to write to the manufacturer about the found bug. I described in detail the model of the router, the firmware version and the script for playing the bug. I received an interesting answer:
Translation (literally)As it turned out, they did not take into account that I am writing from Russia. This model of the router was distributed only in our country. The correspondence ended with the fact that they sent me a new firmware, which eliminated all the shortcomings of the previous one and added many features, but for some reason it was not in the public domain.
Could you check the hardware version on the bottom label of the product?
We do not have Rev. Px. Do you know the source or place of purchase of this device?
Source: https://habr.com/ru/post/449376/
All Articles