An attacker can create a specially-crafted update_json HTTP request that causes the update_json function to load a different file than it normally would, which results in system file overwriting. An attacker can make the request to the following URL to inject a new system file: https://[DNS or IP of rt-ax56u]/setupupdate.json An attacker can create a specially-crafted update_json HTTP request that causes the update_json function to load a different file than it normally would, which results in system file overwriting. An attacker can make the request to the following URL to inject a new system file:

Vulnerability Details:

A system file overwriting vulnerability was found in a Google Wifi device by CVE-2022-23970. This attack allows an attacker to overwrite the system files on a device, which may lead to the device being completely unusable.

Vulnerability Characteristics

- The vulnerability is located in the update_json function of the Wireless Setup Update feature.
- An attacker can create a specially-crafted update_json HTTP request that causes the update_json function to load a different file than it normally would, which results in system file overwriting.
- The attack that this vulnerability enables is remote.
- This vulnerability exists because of an error in the way AirWatch Administrator Service (AWAIS) code handles system files.
- An attack that exploits this vulnerability could be used by an attacker to gain elevated privileges on the device.
- The impact of exploiting this vulnerability depends on if the UPDATE_JSON command was being used, and what parameters were passed to it: If UPDATE_JSON with no parameters was being called, then no impact would exist; however, if the command was being used with parameters, then it could overwrite any existing data on the device's filesystem.

Vulnerability Finding Tips

An attacker can create a specially-crafted update_json HTTP request that causes the update_json function to load a different file than it normally would, which results in system file overwriting. An attacker can make the request to the following URL to inject a new system file:
1. Use standard tools such as Fiddler for network analysis and Burp Suite for web application analysis 2. Set up an external proxy or use an Amazon Web Services (AWS) instance 3. Leverage API calls for your search engine or social media crawler 4. Utilize your knowledge of possible attack vectors

Vulnerability Symptoms

An attacker can create a specially-crafted update_json HTTP request that causes the update_json function to load a different file than it normally would, which results in system file overwriting. An attacker can make the request to the following URL to inject a new system file:
An example of a vulnerability is when an attacker creates a specially-crafted update_json HTTP request that causes the update_json function to load a different file than it normally would, which results in system file overwriting. An attacker can make the request to the following URL to inject a new system file: https://[DNS or IP of rt-ax56u]/setupupdate.json

Timeline

Published on: 04/07/2022 19:15:00 UTC
Last modified on: 04/14/2022 20:42:00 UTC

References