CVE-2022-21809
A file write vulnerability exists in the httpd upload.cgi functionality of InHand Networks InRouter302 V3.5.4. A specially-crafted HTTP request can lead to arbitrary file upload. An attacker can upload a malicious file to trigger this vulnerability.
InHand Networks InRouter302 V3.5.4
InRouter302 - https://www.inhandnetworks.com/products/inrouter300.html
9.9 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE-377 - Insecure Temporary File
The InRouter302 is an industrial LTE router. It features remote management functionalities and several security protection mechanism, such as: VPN technologies, firewall functionalities, authorization management and several other features.
The InRouter302 offers, once logged, several APIs. One API is called upload.cgi. This API allows to upload a file and specify the type of file, such as config, modem_upgrade and cert_ca.
The upload.cgi API will execute mainly two functions: upload.cgi_input that will parse the POST request, and upload.cgi_output that will use the parsed input to perform the actual API and return the output, if required.
The upload.cgi_input function:
void upload.cgi_input(char *cgi_filename,uint CONTENT_LENGTH,char *BOUNDARY)
{
[... several action among which read_buff is filled with the POST content ...]
filename_provided = strchr(read_buff + 0x26,L'\"');
if (filename_provided == (char *)0x0) {
[...]
}
*filename_provided = '\0';
param_value[0] = '\0';
strlcpy(param_key,read_buff + 0x26,0x80);
syslog(7,"get var name: %s",param_key);
filename_provided = strstr(filename_provided + 1,"filename=\"");
if (filename_provided == (char *)0x0) {
[...]
}
filename_provided = filename_provided + 10;
filename_end = strchr(filename_provided,L'\"');
if (filename_end == (char *)0x0) {
[...]
}
*filename_end = '\0';
pcVar2 = strrchr(filename_provided,L'\\'); [1]
if (pcVar2 != (char *)0x0) {
filename_provided = pcVar2 + 1;
}
[...]
snprintf(file_path,0x80,"/tmp/%s",filename_provided); [2]
__s = fopen(file_path,"wb");
[...]
}
The two main variables that are going to be parsed, and later used in the upload.cgi_output, are type and filename. The upload.cgi_input function is also responsible for creating a temporary file with the content of the provided one.
The provided filename, using the strrchr function at [1], will be considered, if present, only from the last \ character in the provided filename. Otherwise the entire provided filename will be used.
Then, at [2], the file /tmp/<provided_filename> is opened and later filled with the provided content.
Later, in upload.cgi_output, based on the type variable provided, different actions could be performed. Eventually the temporary file created will be removed.
The upload.cgi_output function:
void upload.cgi_output(void)
{
[...]
type = (char *)webcgi_get("type");
filename = (char *)webcgi_get("filename");
if ((type == (char *)0x0) || (*type == '\0')) {
type = "unknown upload type!";
}
else {
[... here it would manage the file based on the type and eventually remove the temporary file ...]
}
syslog(7,type);
LAB_0040ed08:
if (gl_server_port != 4444) {
parse_asp("error.jsp");
return;
}
http_api_success = 0;
return;
}
If the type variable is not provided, the upload.cgi API will not perform any other actions in upload.cgi_output. This will result in not deleting the temporary file. Furthermore, at [2], the filename is concatenated without any check or manipulation except for the one performed at [1]. This would allow an attacker to perform a path traversal.
The overall impact for these problems will be, for an attacker, to be able to upload and/or overwrite any writable file.
The vendor has updated their website and uploaded the latest firmware on it. https://inhandnetworks.com/product-security-advisories.html https://www.inhandnetworks.com/products/inrouter300.html#link4
https://www.inhandnetworks.com/upload/attachment/202205/10/InHand-PSA-2022-01.pdf
2022-02-25 - Initial vendor contact
2022-03-02 - Vendor Disclosure
2022-05-10 - Public Release
2022-05-10 - Vendor Patch Release
Discovered by Francesco Benvenuto of Cisco Talos.