CVE-2023-28381
An OS command injection vulnerability exists in the admin.cgi MVPN_trial_init functionality of peplink Surf SOHO HW1 v6.3.5 (in QEMU). A specially crafted HTTP request can lead to command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Peplink Surf SOHO HW1 v6.3.5 (in QEMU)
Surf SOHO HW1 - https://www.peplink.com/products/soho-series-surf/
7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
The Surf series of SOHO routers is marketed as an entry-level router for use at home. It provides networking via USB cellular modems, ethernet and Wi-Fi. The device can host a VPN and supports Wi-Fi meshing.
The device hosts a webserver for configuration and control.
An OS command injection vulnerability exists in the handling of requests destined for the /cgi-bin/MANGA/admin.cgi endpoint, which are intended to initialize a trial of the MVPN feature. This endpoint is accessible only after successfully authenticating as a user with write privileges on the device. The vulnerability can only be reached if the device has been configured to use either mvpn_smoothing or mvpn_bonding. The HTTP POST request must have a parameter, section, with a value set to MVPN_trial_init in order to reach the vulnerable code.
The vulnerable function is located in the file admin.cgi at offset 0x4bb7b4 in firmware version 6.3.5, and we refer to it as MVPN_trial_init. An annotated decompilation of the function is included for reference.
int MVPN_trial_init()
{
char debug[0x20] = {0};
char cmd[0x400] = {0};
int is_llb = is_support_llb_trial();
int mvpn_support_mode = get_mvpn_support_mode();
char* trial_type;
snprintf(&debug, 0x20, "%s", cgi_safe_param("debug")); // [1] Command injection payload must fit within 0x20 bytes
if (mvpn_support_mode == BONDING) {
if (is_llb) {
trial_type = "bonding_llb";
} else {
trial_type = "bonding";
}
}
if (mvpn_support_mode == SMOOTHING) {
if (is_llb) {
trial_type = "smoothing_llb";
} else {
trial_type = "smoothing";
}
}
if (mvpn_support_mode == BONDING || mvpn_support_mode == SMOOTHING) { // [2] Smoothing or Bonding must be configured for MVPN in order to reach vulnerable code
snprintf(cmd, 0x400, "/usr/local/ilink/bin/mvpn_trial_init %s %s > /dev/null 2>&1", trial_type, &debug); // [3] Craft a command using attacker-controlled `debug` value
if (system(cmd)) == 0) { // [4] Execute the crafted command as root
return 1;
}
}
xml_error("Unable to start trial. Please try again later.");
return 0;
}
Observe at [1] that the first 0x20 bytes of the HTTP POST param debug are extracted into the debug stack variable. If the configuration check at [2] is passed, the command is crafted at [3] by directly injecting the attacker-controlled value. Finally, at [4], the command is executed with root privileges. A properly formatted request can escape the intended command and execute arbitrary commands.
2023-06-26 - Initial Vendor Contact
2023-06-27 - Vendor Disclosure
2023-10-11 - Public Release
Discovered by Matt Wiseman of Cisco Talos.