CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
21.5%
CVE-2023-40146
A privilege escalation vulnerability exists in the /bin/login functionality of Peplink Smart Reader v1.2.0 (in QEMU). A specially crafted command line argument can lead to a limited-shell escape and elevated capabilities. An attacker can authenticate with hard-coded credentials and execute unblocked default busybox functionality to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Peplink Smart Reader v1.2.0 (in QEMU)
Smart Reader - <https://www.peplinkworks.com/Smart-Reader.asp>
6.8 - CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-77 - Improper Neutralization of Special Elements used in a Command (โCommand Injectionโ)
The Peplink Smart Reader is the access-control hardware associated with the PepXIM Time-Logging and Security System. It is used to manage access to buildings, workstations and public transit, as well as for employee time management.
The device utilizes a custom /bin/login
binary for authentication to the device via serial console. This custom implementation of /bin/login
adds several undocumented โaccountsโ to the device, each of which will trigger different binaries when successfully authenticated.
These accounts are named qctest
, cli
, wificli
and iot
, and they map to the following commands.
qctest -> /usr/sbin/qctest
cli -> /bin/cli
wificli -> /bin/wireless_cli.sh
iot -> `cd /tmp; /bin/iotsh`
This all occurs within the main
function of /bin/login
, beginning at offset 0x401788
. A decompilation is included below for reference.
...
if (strcmp(tty, "ttyS0") == 0 || strcmp(tty, "console")) {
if (strcmp(password, "qctest") == 0 && strcmp(username, "qctest") == 0) {
puts("\n");
system("/usr/bin/qctest");
}
}
if (strcmp(password, "cli") == 0 && strcmp(username, "cli") == 0) {
puts("\n");
system("/bin/cli");
} else if (strcmp(password, "wificli") == 0 && strcmp(username, "wificli") == 0) {
puts("\n");
system("/bin/wireless_cli.sh");
} else if (strcmp(password, "iot") == 0 && strcmp(username, "iot") == 0) {
puts("\n");
system("cd /tmp ; /bin/iotsh");
}
...
Of interest is the iot
account, as /bin/iotsh
is a custom-built busybox which, when executed as iotsh
, limits the applets that can be executed to the following: cm, exit, ifconfig, iperf, modem_connect_enable, ping, route, tcpdump, traceroute
. It does not limit access to all busybox builtins, one of which is exec
. An attacker who can connect to the serial console of the device can authenticate as the iot
user and escape the limited shell by running exec /bin/sh
, which grants them an uninhibited root shell.
The vendor links to new firmware versions at the end of their advisory: https://forum.peplink.com/t/peplink-security-advisory-smart-reader-firmware-1-2-0-cve-2023-43491-cve-2023-45209-cve-2023-39367-cve-2023-45744-cve-2023-40146/47256
2023-11-30 - Vendor Disclosure
2024-04-17 - Vendor Patch Release
2024-04-17 - Public Release
Discovered by Matt Wiseman of Cisco Talos.
Vulnerability Reports Next Report
TALOS-2023-1863
Previous Report
TALOS-2023-1848