CVE-2023-33381-MitraStar-GP.../README.md

# CVE-2023-33381-MitraStar-GPT-2741GNAC
CVE-2023-33381: OS command injection on MitraStar GPT-2741GNAC

### Device: GPT-2741GNAC
### Firmware Version: AR_g5.8_110WVN0b7_2
### Vulnerability Description:

When logging in via SSH, it was apparent that one would be directed to a restricted shell instead of the expected full shell access.
![image](https://github.com/duality084/CVE-2023-33381-MitraStar-GPT-2741GNAC/assets/7117259/b5840811-334d-45d5-b3e3-7863969165a3)

After exploring several known vulnerabilities, I decided to delve into the search for new ones. To begin, I logged into the administrative portal and began testing various functionalities that could potentially result in OS command injection. Within the Diagnostic menu, I came across a particular feature that allowed me to test connectivity using the ping and traceroute commands.
![image](https://github.com/duality084/CVE-2023-33381-MitraStar-GPT-2741GNAC/assets/7117259/8ab3f70a-2291-4491-a989-9c49b5c69592)

![image](https://github.com/duality084/CVE-2023-33381-MitraStar-GPT-2741GNAC/assets/7117259/ab39a419-e528-4fa4-ae4f-0c4379c5c316)

So, I decided to try something sneaky by adding a ";" character to my command. I executed "cat /etc/passwd" and guess what? The command ran successfully.

![image](https://github.com/duality084/CVE-2023-33381-MitraStar-GPT-2741GNAC/assets/7117259/d9c780f9-649e-49a7-bb19-305abff583db)

I took it a step further and executed the "sed" command to replace the restricted shell entry in the "/etc/passwd" file with a full interactive shell.

![image](https://github.com/duality084/CVE-2023-33381-MitraStar-GPT-2741GNAC/assets/7117259/729a7bf7-118b-4146-a2ec-3de32de9487e)

As clearly illustrated in the image below, the modifications I made have enabled me to login and freely execute commands like "uname" and "cat"

![image](https://github.com/duality084/CVE-2023-33381-MitraStar-GPT-2741GNAC/assets/7117259/8ee5c6ba-b4c6-4a3f-829a-ebeb5945f18b)

### Root of cause
Since I had complete admin privileges, I couldn't resist delving deeper to uncover the vulnerable component. While inspecting the browser requests, I noticed something interesting. There were two CGI files, "ping.cgi" and "DiagGeneral.cgi", being targeted by the requests.

![image](https://github.com/duality084/CVE-2023-33381-MitraStar-GPT-2741GNAC/assets/7117259/4c9bd5c9-c71b-4d04-b0b1-718195067902)

After grabbing the files, I had some fun with reverse engineering using Ghidra. Here's the interesting part: in the "ping.cgi" file, I noticed that the **PingIPAddr** parameter was being directly taken from user input without any proper sanitization. The **PingIPAddr** parameter grabbed from user input was stored for future use utilizing the **tcapi_set** function.
![image](https://github.com/duality084/CVE-2023-33381-MitraStar-GPT-2741GNAC/assets/7117259/1ce7c0ff-8964-4934-a5a2-1cf96990c20b)

Lastly, in the DiagGeneral.cgi file the PingIPAddr parameter was retrieved using the **tcapi_get** function and then directly used in the **system** function without any sanitization. This flaw creates a command injection vulnerability, enabling unauthorized execution of arbitrary commands on the system.

![image](https://github.com/duality084/CVE-2023-33381-MitraStar-GPT-2741GNAC/assets/7117259/a02e6faf-adc3-4da9-9efa-abc58f601a4f)
Initial commit 2023-05-31 19:30:21 -03:00			`# CVE-2023-33381-MitraStar-GPT-2741GNAC`
			`CVE-2023-33381: OS command injection on MitraStar GPT-2741GNAC`
Update README.md 2023-05-31 20:28:01 -03:00
			`### Device: GPT-2741GNAC`
			`### Firmware Version: AR_g5.8_110WVN0b7_2`
			`### Vulnerability Description:`

Update README.md 2023-06-01 19:21:21 -03:00			`When logging in via SSH, it was apparent that one would be directed to a restricted shell instead of the expected full shell access.`
Update README.md 2023-05-31 20:28:01 -03:00			`![image](https://github.com/duality084/CVE-2023-33381-MitraStar-GPT-2741GNAC/assets/7117259/b5840811-334d-45d5-b3e3-7863969165a3)`

Update README.md 2023-06-01 19:21:21 -03:00			`After exploring several known vulnerabilities, I decided to delve into the search for new ones. To begin, I logged into the administrative portal and began testing various functionalities that could potentially result in OS command injection. Within the Diagnostic menu, I came across a particular feature that allowed me to test connectivity using the ping and traceroute commands.`
Update README.md 2023-05-31 20:28:01 -03:00			`![image](https://github.com/duality084/CVE-2023-33381-MitraStar-GPT-2741GNAC/assets/7117259/8ab3f70a-2291-4491-a989-9c49b5c69592)`

			`![image](https://github.com/duality084/CVE-2023-33381-MitraStar-GPT-2741GNAC/assets/7117259/ab39a419-e528-4fa4-ae4f-0c4379c5c316)`

Update README.md 2023-06-01 19:21:21 -03:00			`So, I decided to try something sneaky by adding a ";" character to my command. I executed "cat /etc/passwd" and guess what? The command ran successfully.`

Update README.md 2023-05-31 20:28:01 -03:00			`![image](https://github.com/duality084/CVE-2023-33381-MitraStar-GPT-2741GNAC/assets/7117259/d9c780f9-649e-49a7-bb19-305abff583db)`

Update README.md 2023-06-01 19:40:10 -03:00			`I took it a step further and executed the "sed" command to replace the restricted shell entry in the "/etc/passwd" file with a full interactive shell.`
Update README.md 2023-06-01 19:21:21 -03:00
Update README.md 2023-05-31 20:28:01 -03:00			`![image](https://github.com/duality084/CVE-2023-33381-MitraStar-GPT-2741GNAC/assets/7117259/729a7bf7-118b-4146-a2ec-3de32de9487e)`

Update README.md 2023-06-01 19:21:21 -03:00			`As clearly illustrated in the image below, the modifications I made have enabled me to login and freely execute commands like "uname" and "cat"`

Update README.md 2023-05-31 20:28:01 -03:00			`![image](https://github.com/duality084/CVE-2023-33381-MitraStar-GPT-2741GNAC/assets/7117259/8ee5c6ba-b4c6-4a3f-829a-ebeb5945f18b)`

Update README.md 2023-06-01 09:51:57 -03:00			`### Root of cause`
Update README.md 2023-06-01 19:40:10 -03:00			`Since I had complete admin privileges, I couldn't resist delving deeper to uncover the vulnerable component. While inspecting the browser requests, I noticed something interesting. There were two CGI files, "ping.cgi" and "DiagGeneral.cgi", being targeted by the requests.`
Update README.md 2023-06-01 09:51:57 -03:00
Update README.md 2023-05-31 20:35:42 -03:00			`![image](https://github.com/duality084/CVE-2023-33381-MitraStar-GPT-2741GNAC/assets/7117259/4c9bd5c9-c71b-4d04-b0b1-718195067902)`

Update README.md 2023-06-01 19:40:10 -03:00			`After grabbing the files, I had some fun with reverse engineering using Ghidra. Here's the interesting part: in the "ping.cgi" file, I noticed that the PingIPAddr parameter was being directly taken from user input without any proper sanitization. The PingIPAddr parameter grabbed from user input was stored for future use utilizing the tcapi_set function.`
Update README.md 2023-05-31 20:59:03 -03:00			`![image](https://github.com/duality084/CVE-2023-33381-MitraStar-GPT-2741GNAC/assets/7117259/1ce7c0ff-8964-4934-a5a2-1cf96990c20b)`

Update README.md 2023-06-01 19:40:10 -03:00			`Lastly, in the DiagGeneral.cgi file the PingIPAddr parameter was retrieved using the tcapi_get function and then directly used in the system function without any sanitization. This flaw creates a command injection vulnerability, enabling unauthorized execution of arbitrary commands on the system.`

Update README.md 2023-05-31 20:59:03 -03:00			`![image](https://github.com/duality084/CVE-2023-33381-MitraStar-GPT-2741GNAC/assets/7117259/a02e6faf-adc3-4da9-9efa-abc58f601a4f)`

Update README.md 2023-05-31 20:35:42 -03:00
Update README.md 2023-05-31 20:28:01 -03:00