CVE-2024-45416 in ZTE
Summary
by MITRE • 09/17/2024
The HTTPD binary in multiple ZTE routers has a local file inclusion vulnerability in session_init function. The session -LUA- files are stored in the directory /var/lua_session, the function iterates on all files in this directory and executes them using the function dofile without any validation if it is a valid session file or not. An attacker who is able to write a malicious file in the sessions directory can get RCE as root.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 09/20/2024
The vulnerability identified as CVE-2024-45416 represents a critical local file inclusion flaw within the HTTPD binary of multiple ZTE router models. This security weakness resides in the session_init function which processes session files stored in the /var/lua_session directory. The implementation lacks proper validation mechanisms to verify the authenticity and integrity of files before execution, creating an avenue for arbitrary code execution. The vulnerability stems from the function's indiscriminate iteration and execution of all files within the designated session directory using the dofile function without any sanitization or authorization checks.
The technical exploitation of this vulnerability occurs through the manipulation of the session directory where the HTTPD binary stores session files. Attackers who can achieve write access to the /var/lua_session directory can place malicious Lua scripts that will be automatically executed by the vulnerable function. This creates a privilege escalation scenario where the attacker gains root-level execution privileges, as the dofile function operates with elevated permissions. The vulnerability aligns with CWE-22 which describes improper limitation of a pathname to a restricted directory, commonly known as path traversal attacks. The flaw demonstrates poor input validation and improper access controls that allow unauthorized code execution within the system's privileged execution context.
The operational impact of CVE-2024-45416 extends beyond simple remote code execution as it provides attackers with complete system compromise capabilities. Since the vulnerability allows for root-level execution, adversaries can manipulate network configurations, install persistent backdoors, exfiltrate sensitive data, and establish unauthorized access to connected networks. The affected ZTE routers serve as network gateways, making this vulnerability particularly dangerous as it can enable attackers to pivot through connected networks and potentially compromise larger infrastructure. The vulnerability's presence in the HTTPD binary indicates that it affects the router's web management interface, which typically requires authentication, but the local file inclusion aspect allows for exploitation even without valid credentials if an attacker can write to the session directory.
Mitigation strategies for CVE-2024-45416 should focus on both immediate protective measures and long-term architectural improvements. Organizations should implement strict access controls to prevent unauthorized file system modifications in the /var/lua_session directory, including proper file permissions and ownership settings. Network segmentation and monitoring should be enhanced to detect suspicious file creation activities in critical system directories. The implementation of input validation and file type checking mechanisms should be enforced to prevent execution of unauthorized files. From an ATT&CK perspective, this vulnerability maps to T1059.007 for execution through scripting and T1548.001 for privilege escalation. Regular firmware updates from ZTE should be implemented immediately, while network administrators should consider disabling unnecessary services and implementing intrusion detection systems to monitor for exploitation attempts. The vulnerability also highlights the importance of secure coding practices and proper validation of file operations in embedded systems, particularly in network infrastructure devices where the consequences of exploitation can be severe.