CVE-2019–18396 — Command Injection in Technicolor router
Introduction —
This is my first CVE and I’m very excited because my first CVE is about a critical flaw. To be honest, I wasn’t looking for this vulnerability, at least not to get a CVE, I was looking for access to networked computers from a switch or router. This same command injection vulnerability is present in an older firmware version (CVE-2017–14127) and I found it very strange that they were present after several updates because the updates are for bug fixes, right? Let’s go to the technical details.
Technical details —
This vulnerability is a simple command injection (dvwa feelings) in mnt_ping.cgi and is present on the Technicolor TD5130v2 router in OI_Fw_V20 firmware. This vulnerability occurs because of the lack of data validation on input and to mitigate it is relatively easy to handle data entry.
Proof Of Concept —
First Step —
Login in the panel of router, (admin:admin):
Second Step —
Go to Ping:
Third Step —
Try escape to system:
Fourth Step —
Oh shit! We can’t escape like POST, let’s try the GET method:
http://192.168.1.1/mnt_ping.cgi?isSubmit=1&addrType=3&pingAddr=;ls%20/&send=Send
Fifth Step —
Yeah, successful!! Let’s try reading /etc/passwd:
Seventh Step —
Yeah, successful again!! Now let’s try to make this POC a little prettier with python, see: