Thursday, January 23, 2020

[RUCKUS] Authenticated RCE RUCKUS R500 - via injection on unsanitized input

[RUCKUS] Authenticated RCE RUCKUS R500 - via injection on unsanitized input

Device: Ruckus R500 Multimedia Hotzone Wireless AP
Version: R500_104.0.0.0.1347


Vulnerability: Authenticated Remote command execution (via injection on unsanitized input)



After logging in to the administrative web portal with credentials, we can see that there's a way to execute ping and traceroute to arbitrary IP addresses, those forms are usually common vectors for command injection, but after some testing we noticed that there is some sanitization implemented. However, we were able to prove that there is a third (hidden) input form used to run nslookup, but unlike the other two, it didn't have the same protection.


After searching and getting the firmware image, we extract the contents of the root partition (/) in order to examine the components of the administrative web portal. The main objective was to look for possible ways to evade the input filtering or to see if there were any hidden unprotected forms that allows us to execute OS commands.

The scripts (.asp) files from the portal are located in the /web directory, but the web logic processing takes place in the code of the binary /usr/sbin/webs and its library dependency /usr/lib/librsm.so.

Using Ghidra, we decompile both files and then we check the function pingFormHandler(), which handles the request made to the endpoint /form/pingHandler via POST method.

@/usr/sbin/webs

From the previous image, we can see a call to a function called rsm_c_escChar() a few lines before the call to popen(), which is the one that actually execute /bin/ping with its arguments.

The rsm_c_escChar() function, implemented in the library librsm.so, is the one that sanitizes the input by prepending a \ (backslash) character right before every badchar.

@/usr/lib/librsm.so

  On the other hand, by looking at the file /web/administrator/diagnostics.asp we see the actual hidden form which is only shown if a flag called isnslookupTestThere is enabled.

















 So, after finding the function nslookupHandler() which handles the requests made to the /form/nslookupHandler endpoint, we notice that it misses the call to the sanitization function and there isn't anything than impedes us to make requests directly to the endpoint.

  @/usr/sbin/webs

Finally, we conclude that the only condition needed to execute commands is to avoid any spacing characters in the input because of the call to sscanf, otherwise the input string would be split. A common way to bypass such condition is by replacing any space character with the shell variable ${IFS} (internal field separator).

As an example, in the following request we read the passwd file then we save its contents into pingresults.txt so we can easily get the output from the administration portal.



nslookuptarget=|cat${IFS}/etc/passwd>/tmp/pingresults.txt


Request:

Response:

Response, viewed from the browser.

By @fjv


CesarSilence

Autor

0 comentarios:

Post a Comment

 
biz.