| Título | OVERTEK OT-E801G - OTE801G65.1.1.0 V1.1.0 Remote Code Execution |
|---|
| Descrição | An unauthenticated Remote Code Execution (RCE) vulnerability was identified in the Ping and Traceroute functionality of a vulnerable system. This flaw arises from the lack of proper validation on the ipaddr parameter, allowing attackers to inject and execute arbitrary commands on the underlying server.
Vulnerability Details:
Root Cause:
The system directly incorporates the value of the ipaddr parameter into operating system commands without performing proper sanitization or validation. This enables attackers to concatenate malicious commands to the parameter value and execute them.
Exploitation Example:
An attacker can intercept the HTTP request sent to the Ping or Traceroute functionality and modify the ipaddr parameter to include arbitrary commands. The following payload demonstrates how to access the contents of the /etc/passwd file:
ipaddr=x.x.x.x&&cat /etc/passwd
When processed by the server, this payload causes the specified IP address to be resolved, followed by execution of the malicious command cat /etc/passwd, exposing sensitive system information.
Impact:
This vulnerability allows unauthenticated remote attackers to:
Execute arbitrary commands on the operating system with the privileges of the server process.
Access sensitive files, such as /etc/passwd, to gather system user information.
Gain full control over the system by executing more advanced payloads, such as reverse shells.
## Steps to Reproduce:
Intercept the HTTP request sent by the application to the Ping or Traceroute functionality.
Replace the value of the ipaddr parameter with a malicious payload like:
ipaddr=x.x.x.x&&cat /etc/passwd
Observe the response, which will include the contents of /etc/passwd or the output of the executed command.
Severity:
This vulnerability is critical due to its unauthenticated nature and the potential for attackers to execute arbitrary commands, compromising the confidentiality, integrity, and availability of the system.
## Recommendation:
Implement strict input validation and sanitization on the ipaddr parameter to ensure it only accepts valid IP addresses or domain names.
Use secure system call wrappers or libraries that prevent command injection, such as Python's subprocess.run() with arguments passed as a list.
Perform rigorous security testing on all user-controlled inputs to prevent similar vulnerabilities.
PoC:
http://example.com/diag_ping.cmd?action=test&interface=ppp0.1&ipaddr=x.x.x.x%26%26cat%20/etc/passwd&ipversion=4&sessionKey=test
If you receive the error requesting authentication, press ctrl + u and observe the source code, the code was executed successfully. |
|---|
| Fonte | ⚠️ http://example.com/diag_ping.cmd?action=test&interface=ppp0.1&ipaddr=x.x.x.x%26%26cat%20/etc/passwd&ipversion=4&sessionKey=test |
|---|
| Utilizador | c4ng4c3ir0 (UID 38456) |
|---|
| Submissão | 12/12/2024 22h12 (há 2 anos) |
|---|
| Moderação | 27/12/2024 08h57 (14 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 289378 [Overtek OT-E801G OTE801G65.1.1.0 passwd&ipversion=4&sessionKey=test Elevação de Privilégios] |
|---|
| Pontos | 20 |
|---|