CVE-2022-41870 App upload service ID can be modified to inject commands in AP Manager in Innovaphone before 13r2 Service Release 17.

This can be exploited to perform command execution on the target device.

In order to exploit this issue, a specially crafted app must be uploaded to the target device.

In order to successfully exploit this issue, the device must be running an earlier version (prior to 13r2) of Innovaphone AppManager. AppManager is a SaaS app management service provided by Innovaphone. The affected AppManager version is prior to 13r2.

App upload will fail if the app contains a specially crafted service ID. The app upload will fail when attempting to update the app with an ID that has a colon character in the first position. The app upload will fail when attempting to update the app with an ID that has a semi-colon character in the first position. The app upload will fail when attempting to update the app with an ID that has an underscore character in the first position.

In order to exploit this command injection, an app upload that contains a service ID that matches one of the above conditions must be performed.

Solution:

A possible solution to this is to only upload apps that do not contain these characters.

Fixing the Issue:

The issue affecting the command execution vulnerability can be fixed by changing the AppManager service ID format for uploading an app.

AppManager's service ID must have alphabetic characters only and no colon or semi-colon characters, underscore or hyphen.

To fix this issue, follow these steps:
1. Download the latest version of AppManager from www.innovaphone.com/downloads 2. Install the latest version of Innovaphone AppManager 3. Start Innovaphone AppManager 4. From the left-hand menu, open a new project 5. From the left-hand menu, open Apps upload 6. Update your existing project with a new ID 7. Test your payload on target devices

After the app upload has failed, a new AppManager instance will be started on the target device.

The new instance will be started after waiting for a period of time. The default wait period is 300 seconds, which translates to 5 minutes. However, the wait period can be changed by modifying the following registry key:
HKLM\SYSTEM\CurrentControlSet\Services\AppMgr\Parameters

|Setting name|Value|Description
|TimeOut |0 |Number of seconds to wait before starting the new AppManager instance.

Timeline

Published on: 09/30/2022 18:15:00 UTC
Last modified on: 10/04/2022 17:10:00 UTC

References

• http://wiki.innovaphone.com/index.php?title=Reference13r2:Release_Notes_Security
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-41870