Talos Vulnerability Report

TALOS-2023-1868

Peplink Smart Reader /bin/login privilege escalation vulnerability

April 17, 2024
CVE Number

CVE-2023-40146

SUMMARY

A privilege escalation vulnerability exists in the /bin/login functionality of Peplink Smart Reader v1.2.0 (in QEMU). A specially crafted command line argument can lead to a limited-shell escape and elevated capabilities. An attacker can authenticate with hard-coded credentials and execute unblocked default busybox functionality to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Peplink Smart Reader v1.2.0 (in QEMU)

PRODUCT URLS

Smart Reader - https://www.peplinkworks.com/Smart-Reader.asp

CVSSv3 SCORE

6.8 - CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-77 - Improper Neutralization of Special Elements used in a Command (‘Command Injection’)

DETAILS

The Peplink Smart Reader is the access-control hardware associated with the PepXIM Time-Logging and Security System. It is used to manage access to buildings, workstations and public transit, as well as for employee time management.

The device utilizes a custom /bin/login binary for authentication to the device via serial console. This custom implementation of /bin/login adds several undocumented “accounts” to the device, each of which will trigger different binaries when successfully authenticated.

These accounts are named qctest, cli, wificli and iot, and they map to the following commands.

qctest  -> /usr/sbin/qctest
cli     -> /bin/cli
wificli -> /bin/wireless_cli.sh
iot     -> `cd /tmp; /bin/iotsh`

This all occurs within the main function of /bin/login, beginning at offset 0x401788. A decompilation is included below for reference.

...
if (strcmp(tty, "ttyS0") == 0 || strcmp(tty, "console")) {
    if (strcmp(password, "qctest") == 0 && strcmp(username, "qctest") == 0) {
        puts("\n");
        system("/usr/bin/qctest");
    }
} 
if (strcmp(password, "cli") == 0 && strcmp(username, "cli") == 0) {
    puts("\n");
    system("/bin/cli");
} else if (strcmp(password, "wificli") == 0 && strcmp(username, "wificli") == 0) {
    puts("\n");
    system("/bin/wireless_cli.sh");
} else if (strcmp(password, "iot") == 0 && strcmp(username, "iot") == 0) {
    puts("\n");
    system("cd /tmp ; /bin/iotsh");
}
...

Of interest is the iot account, as /bin/iotsh is a custom-built busybox which, when executed as iotsh, limits the applets that can be executed to the following: cm, exit, ifconfig, iperf, modem_connect_enable, ping, route, tcpdump, traceroute. It does not limit access to all busybox builtins, one of which is exec. An attacker who can connect to the serial console of the device can authenticate as the iot user and escape the limited shell by running exec /bin/sh, which grants them an uninhibited root shell.

VENDOR RESPONSE

The vendor links to new firmware versions at the end of their advisory: https://forum.peplink.com/t/peplink-security-advisory-smart-reader-firmware-1-2-0-cve-2023-43491-cve-2023-45209-cve-2023-39367-cve-2023-45744-cve-2023-40146/47256

TIMELINE

2023-11-30 - Vendor Disclosure
2024-04-17 - Vendor Patch Release
2024-04-17 - Public Release

Credit

Discovered by Matt Wiseman of Cisco Talos.