CVE-2022-26007
An OS command injection vulnerability exists in the console factory functionality of InHand Networks InRouter302 V3.5.4. A specially-crafted network request can lead to command execution. An attacker can send a sequence of requests to trigger this vulnerability.
InHand Networks InRouter302 V3.5.4
InRouter302 - https://www.inhandnetworks.com/products/inrouter300.html
9.1 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
9.9 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H - chain: TALOS-2022-1472
### CWE
CWE-77 - Improper Neutralization of Special Elements used in a Command (‘Command Injection’)
The InRouter302 is an industrial LTE router. It features remote management functionalities and several security protection mechanism, such as: VPN technologies, firewall functionalities, authorization management and several other features.
The InRouter302 offers telnet and sshd services. Both, when provided with the correct credentials, will allow access to the Router console.
Here the prompt after the login:
************************************************
Welcome to Router console
Inhand
Copyright @2001-2020, Beijing InHand Networks Co., Ltd.
http://www.inhandnetworks.com
------------------------------------------------
Model : IR302-WLAN
Serial Number : RF3022141057211
Description : www.inhandnetworks.com
Current Version : V3.5.4
Current Bootloader Version : 1.1.3.r4955
------------------------------------------------
get help for commands
------------------------------------------------
type '?' for detail help at any point
================================================
help -- get help for commands
language -- Set language
show -- show system information
exit -- exit current mode/console
ping -- ping test
comredirect -- COM redirector
telnet -- telnet to a host
traceroute -- trace route to a host
enable -- turn on privileged commands
Router>
Several commands are available. The Router console offers, after the user provides the privileged user password, additional privileged functionalities. Here is the prompt after providing the privileged user credentials:
Router> enable
input password:
Router#
get help for commands
------------------------------------------------
type '?' for detail help at any point
================================================
help -- get help for commands
language -- Set language
show -- show system information
exit -- exit current mode/console
reboot -- reboot system
ping -- ping test
comredirect -- COM redirector
telnet -- telnet to a host
traceroute -- trace route to a host
disable -- turn off privileged commands
configure -- enter configuration mode
restore -- restore firmware
erase -- erase a filesystem
Router#
The Router console contains a command, called factory
, that is not listed among the available functions. This is probably a leftover debug code.
Here is the function that will manage the factory
command in the privileged user level:
int factory_functionality(undefined4 param_1,char *command_line_provided)
{
[...]
if ((command_line_provided == (char *)0x0) || (*command_line_provided == '\0')) {
is_command = -2;
}
else {
second_arg = command_line_provided;
first_arg = (char *)maybe_get_next_token(second_arg);
[...]
is_command = strncmp(first_arg,"iwpriv",6); [1]
if (is_command != 0) {
return 0;
}
if (*second_arg == '\"') {
second_arg = second_arg + 1;
}
second_arg_ = second_arg;
[...]
sprintf(command_line_buff,"iwpriv %s",second_arg_); [2]
system(command_line_buff); [3]
}
[...]
}
The command_line_provided
argument is what follows the factory
command. The command_line_provided
is split, using the space character, into two tokens. If the first token provided is iwpriv
, checked at [1]
, then later the second token, at [2]
, will be used to create the iwpriv <second_token>
command. This command will be executed, at [3]
, with system
.
An attacker could exploit the second token to perform a command injection in the call to system
at [3]
.
Note that, while this issue requires the most privileged logged-in user, it’s possible to use TALOS-2022-1472 to perform this API starting from a low-privileged user credentials. In this case, the actual chained CVSS score would be 9.9 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H.
After entering the privileged user level mode, using the enable
command, providing the following string: factory iwpriv `/bin/sh$IFS1>&2`
will prompt a /bin/sh shell:
Router# factory iwpriv `/bin/sh$IFS1>&2`
BusyBox v1.26.2 (2020-10-14 18:29:02 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
/www #
The vendor has updated their website and uploaded the latest firmware on it. https://inhandnetworks.com/product-security-advisories.html https://www.inhandnetworks.com/products/inrouter300.html#link4
https://www.inhandnetworks.com/upload/attachment/202205/10/InHand-PSA-2022-01.pdf
2022-03-15 - Vendor Disclosure
2022-05-10 - Public Release
2022-05-10 - Vendor Patch Release
Discovered by Francesco Benvenuto of Cisco Talos.