CVE-2022-40992,CVE-2022-41018,CVE-2022-41005,CVE-2022-41028,CVE-2022-40990,CVE-2022-40985,CVE-2022-40989,CVE-2022-40991,CVE-2022-40994,CVE-2022-41002,CVE-2022-41012,CVE-2022-41019,CVE-2022-41030,CVE-2022-41011,CVE-2022-41027,CVE-2022-40986,CVE-2022-41007,CVE-2022-41022,CVE-2022-41020,CVE-2022-40995,CVE-2022-40998,CVE-2022-41001,CVE-2022-41006,CVE-2022-41014,CVE-2022-41029,CVE-2022-41010,CVE-2022-40997,CVE-2022-40996,CVE-2022-41016,CVE-2022-40988,CVE-2022-41017,CVE-2022-41004,CVE-2022-41013,CVE-2022-41000,CVE-2022-40999,CVE-2022-41025,CVE-2022-41008,CVE-2022-41015,CVE-2022-41026,CVE-2022-41024,CVE-2022-41009,CVE-2022-41003,CVE-2022-40993,CVE-2022-41021,CVE-2022-40987,CVE-2022-41023
Several stack-based buffer overflow vulnerabilities exist in the DetranCLI command parsing functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network packet can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Siretta QUARTZ-GOLD G5.0.1.5-210720-141020
QUARTZ-GOLD - https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/
7.2 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE-120 - Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)
The Siretta QUARTZ-GOLD is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and many others.
The QUARTZ-GOLD router offers a customized router console by the DetranCLI binary. From this CLI interface, it is possible to use several functionalities. Many functionalities have a parsing pattern that is vulnerable to stack-based buffer overflow.
This pattern looks like: sprintf(stack_buffer, format_string, command_parameter_1, ...). The problem is that, in many functions, the command_parameter_X’s size is not checked to take into account the size of stack_buffer, which can lead to stack-based buffer overflow.
The DetranCLI binary uses command template for each command. Following the relevant template special keyword:
WORD This is a parameter with any sequence of printable charactersCODE This parameter is similar to WORDA.B.C.D This parameter represents an IP address<min_value-max_value> This is a numerical parameter with a range of possible values, from min_value to max_value(choice1|choice2....) This is a parameter with a set of possible values. The value can be another special keyword, like WORD or <min_value-max_value>Each of the above special keyword is going to fill the char** array provided as second parameter on each command function. From this point this second argument parameter will be called argv. Each special keyword will be inserted in argv progressively. For example, for the command:
firmwall keyword WORD description (WORD|null)
This function will have as argv[0] a sequence of character, and as argv[1] either any sequence of characters or the string ‘null’.
Following is the list of vulnerable commands with its details.
This stack-based buffer overflow can be reached using the following command template:
(ddns1|ddns2) hostname WORD
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x200,"%s<%s:%s<%s<%s<%s<%s<%s","","","",argv[1],"0","","0","");
The function executing this code is vulnerable to a stack-based buffer overflow.
This stack-based buffer overflow can be reached using the following command template:
(ddns1|ddns2) mx WORD
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x200,"%s<%s:%s<%s<%s<%s<%s<%s","","","","","0",argv[1],"0","");
The function executing this code is vulnerable to a stack-based buffer overflow.
This stack-based buffer overflow can be reached using the following command template:
(ddns1|ddns2) username WORD password CODE
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x200,"%s<%s:%s<%s<%s<%s<%s<%s","",argv[1],argv[2],"","0","","0","");
The function executing this code is vulnerable to a stack-based buffer overflow.
This stack-based buffer overflow can be reached using the following command template:
ipv6 static dns WORD WORD WORD
If the command is issued correctly, the following code will be reached:
sprintf(buff_260,"%s %s %s",*argv,argv[1],argv[2]);
The function executing this code is vulnerable to a stack-based buffer overflow.
This stack-based buffer overflow can be reached using the following command template:
bandwidth WORD dlrate <1-9999> dlceil <1-9999> ulrate <1-9999> ulceil <1-9999> priority (highest|high|normal|low|lowest)
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x80,"%s<%s<%s<%s<%s<%d<0<0",*argv,argv[1],argv[2],argv[3],argv[4],based_on_argv[5]);
The function executing this code is vulnerable to a stack-based buffer overflow.
This stack-based buffer overflow can be reached using the following command template:
no bandwidth WORD dlrate <1-9999> dlceil <1-9999> ulrate <1-9999> ulceil <1-9999> priority (highest|high|normal|low|lowest)
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x80,"%s<%s<%s<%s<%s<%d<0<0",*argv,argv[1],argv[2],argv[3],argv[4],based_on_argv[5]);
The function executing this code is vulnerable to a stack-based buffer overflow.
This stack-based buffer overflow can be reached using the following command template:
firmwall domain WORD description (WORD|null)
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x80,"%d<%s<%s",1,*argv,argv[1]);
The function executing this code is vulnerable to a stack-based buffer overflow.
This stack-based buffer overflow can be reached using the following command template:
no firmwall domain WORD description (WORD|null)
If the command is issued correctly, the following code will be reached:
sprintf(stack_0x80,"%d<%s<%s",1,*argv,argv[1]);
The function executing this code is vulnerable to a stack-based buffer overflow.
This stack-based buffer overflow can be reached using the following command template:
firmwall keyword WORD description (WORD|null)
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x80,"%d<%s<%s",1,*argv,argv[1]);
The function executing this code is vulnerable to a stack-based buffer overflow.
This stack-based buffer overflow can be reached using the following command template:
no firmwall keyword WORD description (WORD|null)
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x80,"%d<%s<%s",1,*argv,argv[1]);
The function executing this code is vulnerable to a stack-based buffer overflow.
This stack-based buffer overflow can be reached using the following command template:
firmwall srcmac (WORD|null) srcip (A.B.C.D|null) dstip (A.B.C.D|null) protocol (none|tcp|udp|icmp) srcport (<1-65535>|null) dstport (<1-65535>|null) policy (drop|accept) description (WORD|null)
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x100,"%d<%s<%s<%s<%d<%s<%s<%d<%s>",1,*argv,argv[1],argv[2],depentent_on_argv[3],argv[4],argv[5],iVar6,argv[7]);
The function executing this code is vulnerable to a stack-based buffer overflow.
This stack-based buffer overflow can be reached using the following command template:
no firmwall srcmac (WORD|null) srcip (A.B.C.D|null) dstip (A.B.C.D|null) protocol (none|tcp|udp|icmp) srcport (<1-65535>|null) dstport (<1-65535>|null) policy (drop|accept) description (WORD|null)
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x100,"%d<%s<%s<%s<%d<%s<%s<%d<%s",1,*argv,argv[1],argv[2],depentent_on_argv[3],argv[4],argv[5],depentent_on_argv[6],argv[7]);
The function executing this code is vulnerable to a stack-based buffer overflow.
This stack-based buffer overflow can be reached using the following command template:
gre index <1-8> destination A.B.C.D/M description (WORD|null)
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x80,"%d<%s<%s<%s>",1,*argv,argv[1],argv[2]);
The function executing this code is vulnerable to a stack-based buffer overflow.
This stack-based buffer overflow can be reached using the following command template:
no gre index <1-8> destination A.B.C.D/M description (WORD|null)
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x80,"%d<%s<%s<%s",1,*argv,argv[1],argv[2]);
The function executing this code is vulnerable to a stack-based buffer overflow.
This stack-based buffer overflow can be reached using the following command template:
gre index <1-8> tunnel A.B.C.D source (A.B.C.D|null) dest A.B.C.D keepalive (on|off) interval (<0-255>|null) retry (<0-255>|null) description (WORD|null)
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x80,"%d<%s<%s<%s<%s<%d<%s<%s<%s>",1,*argv,argv[1],argv[2],argv[3],dependent_on_argv[4],argv[5],argv[6],argv[7]);
The function executing this code is vulnerable to a stack-based buffer overflow.
This stack-based buffer overflow can be reached using the following command template:
no gre index <1-8> tunnel A.B.C.D source (A.B.C.D|null) dest A.B.C.D keepalive (on|off) interval (<0-255>|null) retry (<0-255>|null) description (WORD|null)
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x80,"%d<%s<%s<%s<%s<%d<%s<%s<%s",1,*argv,argv[1],argv[2],argv[3],dependent_on_argv[4],argv[5],argv[6],argv[7]);
The function executing this code is vulnerable to a stack-based buffer overflow.
This stack-based buffer overflow can be reached using the following command template:
icmp check link WORD destination WORD interval <1-255> retries <1-255> description (WORD|null)
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x80,"%d<%s<%s<%d<%d<%s",1,*argv,argv[1],atoi_argv_2,atoi_argv[3],argv[4]);
The function executing this code is vulnerable to a stack-based buffer overflow.
This stack-based buffer overflow can be reached using the following command template:
no icmp check link WORD destination WORD interval <1-255> retries <1-255> description (WORD|null)
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x80,"%d<%s<%s<%d<%d<%s",1,*argv,argv[1],atoi_argv[2],atoi_argv[3],argv[4]);
The function executing this code is vulnerable to a stack-based buffer overflow.
This stack-based buffer overflow can be reached using the following command template:
ip nat outside source (udp|tcp|all) (WORD|null) WORD to A.B.C.D (WORD|null) description (WORD|null)
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x100,"%d<%d<%s<%s<%s<%s<%s",1,based_on_argv[0],argv[1],argv[2],argv[4],argv[3],argv[5]);
The function executing this code is vulnerable to a stack-based buffer overflow.
This stack-based buffer overflow can be reached using the following command template:
no ip nat outside source (udp|tcp|all) (WORD|null) WORD to A.B.C.D (WORD|null) description (WORD|null)
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x40,"%d<%d<%s<%s<%s<%s<%s",1,based_on_argv[0],argv[1],argv[2],argv[4],argv[3],argv[5]);
The function executing this code is vulnerable to a stack-based buffer overflow.
This stack-based buffer overflow can be reached using the following command template:
ip static route destination A.B.C.D gateway A.B.C.D mask A.B.C.D metric <0-10> interface (lan|wan|vpn) description WORD
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x80,"%s<%s<%s<%s<%s<%s",*argv,argv[1],argv[2],argv[3],argv[4],argv[5]);
The function executing this code is vulnerable to a stack-based buffer overflow.
This stack-based buffer overflow can be reached using the following command template:
no ip static route destination A.B.C.D gateway A.B.C.D mask A.B.C.D metric <0-10> interface (lan|wan|vpn) description WORD
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x80,"%s<%s<%s<%s<%s<%s",*argv,argv[1],argv[2],argv[3],argv[4],argv[5]);
The function executing this code is vulnerable to a stack-based buffer overflow.
This stack-based buffer overflow can be reached using the following command template:
port redirect protocol (tcp|udp|tcp/udp) inport <1-65535> dstaddr A.B.C.D export <1-65535> description WORD
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x80,"%d<%d<%s<%s<%s<%s>",1,based_on_argv[0],atoi_argv[1],argv[2],atoi_argv[3],argv[4]);
The function executing this code is vulnerable to a stack-based buffer overflow.
This stack-based buffer overflow can be reached using the following command template:
no port redirect protocol (tcp|udp|tcp/udp) inport <1-65535> dstaddr A.B.C.D export <1-65535> description WORD
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x80,"%d<%d<%s<%s<%s<%s",1,based_on_argv[0],atoi_argv[1],argv[2],atoi_argv[3],argv[4]);
The function executing this code is vulnerable to a stack-based buffer overflow.
This stack-based buffer overflow can be reached using the following command template:
port triger protocol (tcp|udp|tcp/udp) triger port <1-65535> forward port <1-65535> description WORD
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x80,"%d<%d<%s<%s<%s>",1,based_on_argv[0],atoi_argv[1],atoi_argv[2],argv[3]);
The function executing this code is vulnerable to a stack-based buffer overflow.
This stack-based buffer overflow can be reached using the following command template:
no port triger protocol (tcp|udp|tcp/udp) triger port <1-65535> forward port <1-65535> description WORD
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x80,"%d<%d<%s<%s<%s",1,based_on_argv[0],atoi_argv[1],atoi_argv[2],argv[3]);
The function executing this code is vulnerable to a stack-based buffer overflow.
This stack-based buffer overflow can be reached using the following command template:
schedule link1 WORD link2 WORD policy (failover|backup) description (WORD|null)
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x100,"%d<%s<%s<%d<%s",1,*argv,argv[1],dependent_on_argv[2],argv[3]);
The function executing this code is vulnerable to a stack-based buffer overflow.
This stack-based buffer overflow can be reached using the following command template:
no schedule link1 WORD link2 WORD policy (failover|backup) description (WORD|null)
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x100,"%d<%s<%s<%d<%s",1,*argv,argv[1],dependent_on_argv[2],argv[3]);
The function executing this code is vulnerable to a stack-based buffer overflow.
This stack-based buffer overflow can be reached using the following command template:
static dhcp mac WORD (WORD|null) ip A.B.C.D hostname (WORD|null) description (WORD|null)
If the command is issued correctly, the following code will be reached:
if (*argv[1] == '\x00'){
format_string = "%s%s<%s<%s<%s";
}
else{
format_string = "%s,%s<%s<%s<%s";
}
sprintf(buff_0x40,format_string,*argv,argv[1],argv[2],argv[3],argv[4]);
This stack-based buffer overflow can be reached using the following command template:
no static dhcp mac WORD (WORD|null) ip A.B.C.D hostname (WORD|null) description (WORD|null)
If the command is issued correctly, the following code will be reached:
if (*argv[1] == '\x00'){
format_string = "%s%s<%s<%s<%s";
}
else{
format_string = "%s,%s<%s<%s<%s";
}
sprintf(buff_0x40,format_string,*argv,argv[1],argv[2],argv[3],argv[4]);
The function executing this code is vulnerable to a stack-based buffer overflow.
This stack-based buffer overflow can be reached using the following command template:
vpn basic protocol (l2tp|pptp) name WORD server WORD username WORD passsword WORD firmwall (on|off) defroute (on|off)
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x100,"%d<%d<%s<%s<%s<%s<%d<%d<%s",1,based_on_argv[0],argv[1],argv[2],argv[3],argv[4],based_on_argv[5],based_on_argv[6],"");
The function executing this code is vulnerable to a stack-based buffer overflow.
This stack-based buffer overflow can be reached using the following command template:
no vpn basic protocol (l2tp|pptp) name WORD server WORD username WORD passsword WORD firmwall (on|off) defroute (on|off)
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x100,"%d<%d<%s<%s<%s<%s<%d<%d<%s",1,based_on_argv[0],argv[1],argv[2],argv[3],argv[4],based_on_argv[5],based_on_argv[6],"");
The function executing this code is vulnerable to a stack-based buffer overflow.
This stack-based buffer overflow can be reached using the following command template:
vpn basic protocol (l2tp|pptp) name WORD server WORD username WORD passsword WORD firmwall (on|off) defroute (on|off) localip A.B.C.D
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x100,"%d<%d<%s<%s<%s<%s<%d<%d<%s",1,based_on_argv[0],argv[1],argv[2],argv[3],argv[4],based_on_argv[5],based_on_argv[6],argv[7]);
The function executing this code is vulnerable to a stack-based buffer overflow.
This stack-based buffer overflow can be reached using the following command template:
no vpn basic protocol (l2tp|pptp) name WORD server WORD username WORD passsword WORD firmwall (on|off) defroute (on|off) localip A.B.C.D
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x100,"%d<%d<%s<%s<%s<%s<%d<%d<%s",1,based_on_argv[0],argv[1],argv[2],argv[3],argv[4],based_on_argv[5],based_on_argv[6],argv[7]);
The function executing this code is vulnerable to a stack-based buffer overflow.
This stack-based buffer overflow can be reached using the following command template:
vpn l2tp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> auth (on|off) password (WORD|null)
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x100,"%d<%s<%d<%s<%s<%d<%s<%s",1,*argv,based_on_argv[1],argv[2],argv[3],based_on_argv[4],argv[5],"");
The function executing this code is vulnerable to a stack-based buffer overflow.
This stack-based buffer overflow can be reached using the following command template:
no vpn l2tp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> auth (on|off) password (WORD|null)
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x100,"%d<%s<%d<%s<%s<%d<%s<%s",1,*argv,based_on_argv[1],argv[2],argv[3],based_on_argv[4],argv[5],"");
The function executing this code is vulnerable to a stack-based buffer overflow.
This stack-based buffer overflow can be reached using the following command template:
vpn l2tp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> auth (on|off) password (WORD|null) options WORD
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x100,"%d<%s<%d<%s<%s<%d<%s<%s",1,*argv,based_on_argv[1],atoi_argv[2],argv[3],based_on_argv[4],argv[5],"");
The function executing this code is vulnerable to a stack-based buffer overflow.
This stack-based buffer overflow can be reached using the following command template:
no vpn l2tp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> auth (on|off) password (WORD|null) options WORD
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x100,"%d<%s<%d<%s<%s<%d<%s<%s",1,*argv,based_on_argv[1],atoi_argv[2],argv[3],based_on_argv[4],argv[5],"");
The function executing this code is vulnerable to a stack-based buffer overflow.
This stack-based buffer overflow can be reached using the following command template:
vpn pptp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> mppe (on|off) stateful (on|off)
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x100,"%d<%s<%d<%s<%s<%d<%d<%s",1,*argv,based_on_argv[1],argv[2],argv[3],based_on_argv[4],based_on_argv[5],"");
The function executing this code is vulnerable to a stack-based buffer overflow.
This stack-based buffer overflow can be reached using the following command template:
no vpn pptp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> mppe (on|off) stateful (on|off)
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x100,"%d<%s<%d<%s<%s<%d<%d<%s",1,*argv,based_on_argv[1],argv[2],argv[3],based_on_argv[4],based_on_argv[5],"");
The function executing this code is vulnerable to a stack-based buffer overflow.
This stack-based buffer overflow can be reached using the following command template:
vpn pptp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> mppe (on|off) stateful (on|off) options WORD
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x100,"%d<%s<%d<%s<%s<%d<%d<%s",1,*argv,based_on_argv[1],argv[2],argv[3],based_on_argv[4],based_on_argv[5],argv[6]);
The function executing this code is vulnerable to a stack-based buffer overflow.
This stack-based buffer overflow can be reached using the following command template:
no vpn pptp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> mppe (on|off) stateful (on|off) options WORD
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x100,"%d<%s<%d<%s<%s<%d<%d<%s",1,*argv,based_on_argv[1],argv[2],argv[3],based_on_argv[4],based_on_argv[5],argv[6]);
The function executing this code is vulnerable to a stack-based buffer overflow.
This stack-based buffer overflow can be reached using the following command template:
vpn schedule name1 WORD name2 WORD policy (failover|backup) description (WORD|null)
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x100,"%d<%s<%s<%d<%s",1,*argv,argv[1],based_on_argv[2],argv[3]);
The function executing this code is vulnerable to a stack-based buffer overflow.
This stack-based buffer overflow can be reached using the following command template:
no vpn schedule name1 WORD name2 WORD policy (failover|backup) description (WORD|null)
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x100,"%d<%s<%s<%d<%s",1,*argv,argv[1],based_on_argv[2],argv[3]);
The function executing this code is vulnerable to a stack-based buffer overflow.
This stack-based buffer overflow can be reached using the following command template:
wlan filter mac address WORD descript WORD
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x20,"%s%s%s%s%s%s<%s",octet_from_argv0[0],octet_from_argv0[1],octet_from_argv0[2],octet_from_argv0[3],octet_from_argv0[4],octet_from_argv0[5],argv[1]);
The function executing this code is vulnerable to a stack-based buffer overflow.
This stack-based buffer overflow can be reached using the following command template:
no wlan filter mac address WORD descript WORD
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x20,"%s%s%s%s%s%s<%s",octet_from_argv0[0],octet_from_argv0[1],octet_from_argv0[2],octet_from_argv0[3],octet_from_argv0[4],octet_from_argv0[5],argv[1]);
The function executing this code is vulnerable to a stack-based buffer overflow.
2022-10-14 - Initial Vendor Contact
2022-10-20 - Vendor Disclosure
2022-11-24 - Vendor Patch Release
2023-01-26 - Public Release
Discovered by Francesco Benvenuto of Cisco Talos.