Monday, February 10, 2020

[GOCLOUD] - RCE in Gocloud Routers (authenticated) - (CVE-2020-8949)

 The following Gould routes are vulnerable to OS command Injection:

Affected Versions:
  • GOCLOUD S2A_WL  -  Firmware Version
  • GOCLOUD S2A  - Firmware Version  
  • GOCLOUD S2A  - Firmware Version 
  • GOCLOUD S2A  - Firmware Version
  • GOCLOUD S3A (K2P MTK Version) - Firmware Version  
  • GOCLOUD S3A  - Firmware Version
  • GOCLOUD ISP3000 Intel(R) Xeon(R) E5-2660 - Firmware Version

It seems that these routers are widely used in China, and they are also vulnerable to injecting commands in the systemtools diagnostic function

Within the "ping" function in the url, it is possible to inject commands by escaping with ";" at the beginning and end of the injected command

for example:

This must be executed once the application is authenticated.

I encountered the problem that some characters gave me problems, such as "/", so I used base64 to encode the payload


By: @Linuxmonr4

[TimeTools] - SR / SC Series Network Time Protocol Server - RCE - (CVE-2020-8963 | CVE-2020-8964)

According to the vendor's page:

SR Series GPS \ LF Radio NTP Time Servers
Synchronize your network with microsecond precision using Network Time Protocol (NTP \ SNTP).

Accurately synchronize Windows, Linux, Unix, Servers and Workstations, Time Displays, CCTV systems, DVR’s, telephone systems, switches, routers and more!

GPS, MSF and DCF-77 reference clock options for Stratum 1 operation. Peering and Stratum 2 operation via NTP servers.

Downloading and analyzing the firmware of the device, I found that the cookie is hardcoded as a backdoor in the t3.cgi binary and obviously this allows you to log into any devices that are exposed on the internet.

Taking advantage of the hardcoded cookie, we send the t3axs coockie by GET as follows and enter any of the affected devices:


Well, that was the first vulnerability, and the one that would facilitate the scenario for the rest.

Continuing with the analysis, I also find an OS command Injection, which together with the hardcoded cookie makes it an "unauthenticated remote OS command Injection", which allows you to take control directly of any of the affected devices, they could execute commands such as ROOT

In Servers SR and SC series

The application expects two parameters, the first one is a valid cookie (t3axs) and the second the "srmodel", which ends up passing as a parameter to "system()" so we can inject our code there.

The "rtime" parameter ends in the function system() as a parameter, which allows us to inject our code into that parameter

Running "ls" command in settime function

checking  "/etc/shadow", so root is the user who is rooning those commands

Factorymodel function

In server T100/T300/T550 series, exactly the same happens as in the firmware of the indoor devices. 

The only difference with the previous case is that the output is not reflected in the response of the web server, but if we redirect it to the path "/home/root/www/output.txt" we can see the response of each command.

To complete a reverse shell

Affected Devices:
  • SR9850
  • SR9750
  • SC9705
  • SR9210 
  • SC9205
  • SR7110 
  • SC7105
  • T100
  • T300
  • T550
  • CVE-2020-8963
  • CVE-2020-8964
By: @linuxmonr4

:::Many thanks to Xploited for the support:::

[Netis] Authenticated RCE on WF2471 wireless router (v1.2.30142) (CVE-2020-8946).

Netis systems is a manufacturer of computer network hardware from Shenzhen, China. Their product range includes numerous devices such as wireless routers, access points, switches, adapters, etc.

Device: WF2471
Firmware version: 1.2.30142

During our research, we found a couple of wireless router models vulnerable to a command injection in one of the parameters used when performing a system log cleanup.

Normally, the request only takes one single parameter: log_name.

However, after careful examination during a static analysis on the affected CGI file, we notice a call to the system() function in which additional content can be injected once adding two extra parameters: type_change_clean and log_3g_type.

Then, the following conditions must be satisfied:
log_name has to be equal to 3g, instead of ALL
type_change_clean must be set to log_type
Finally, log_3g_type is the parameter where the actual injection takes place. OS commands are inserted in between semicolon characters as demonstrated as follows: