CVE-2022-33192 - Multiple OS Command Injection Vulnerabilities in Abode Systems iota All-In-One Security Kit 6.9X and 6.9Z

CVE-2022-33192 is a critical vulnerability discovered in Abode Systems iota All-In-One Security Kit versions 6.9X and 6.9Z. There are four OS command injection vulnerabilities in the XCMD testWifiAP functionality. If successfully exploited, these vulnerabilities can lead to arbitrary command execution, compromising the security of the system.

In this long read, we will detail the exploit, provide code snippets, and link to original references. We will focus specifically on the unsafe use of the WL_SSID and WL_SSID_HEX configuration values in the function at offset x1c7d28 of firmware 6.9Z.

Exploit Details

The vulnerability exists in the testWifiAP functionality of the XCMD command, which accepts a sequence of commands from an attacker to trigger the four OS command injection vulnerabilities. The attacker can use the WL_SSID and WL_SSID_HEX configuration values in a malicious way, which causes the function at offset x1c7d28 in firmware 6.9Z to perform arbitrary command execution.

Code Snippet

The following code snippet demonstrates the unsafe handling of WL_SSID and WL_SSID_HEX configuration values – an attacker could input malicious commands to exploit the vulnerability:

char cmd[1024];

sprintf(cmd, "iwpriv %s set SiteSurvey=\"%s\"", WLAN_IF, WL_SSID);

// If WL_SSID_HEX is specified then use it
if (*WL_SSID_HEX) {
    sprintf(cmd, "iwpriv %s set SiteSurvey=\"%s\"", WLAN_IF, WL_SSID_HEX);
}

system(cmd);

An attacker can send a sequence of malicious XCMD commands like the example below to trigger the vulnerability:

XCMD testWifiAP:1:1:xFFFFFF:xFFFFFF:;rm /tmp/evil_script.sh;:{malicious_payload}:end;

Original References

1. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33192
2. https://www.exploit-db.com/exploits/50473

Mitigations and Recommendations

Abode Systems Inc. has released a firmware update to address this vulnerability. Users of iota All-In-One Security Kit versions 6.9X and 6.9Z should immediately update their firmware to the latest available version.

Furthermore, it is highly recommended to follow secure coding practices to mitigate risks associated with command injection vulnerabilities. Developers should properly validate and sanitize user inputs and use secure functions that can handle untrusted inputs effectively.

Conclusion

CVE-2022-33192 is a critical and concerning vulnerability in Abode Systems iota All-In-One Security Kit, potentially putting users' safety and system integrity at risk. Affected users should apply the provided firmware update as soon as possible and implement secure coding practices to minimize the risk of similar vulnerabilities in the future.

Timeline

Published on: 10/25/2022 17:15:00 UTC
Last modified on: 10/26/2022 18:52:00 UTC