Routers/CVE-2023-33381-MitraStar-GPT-2741GNAC
1
0
Fork 0
mirror of https://github.com/duality084/CVE-2023-33381-MitraStar-GPT-2741GNAC.git synced 2025-02-02 14:07:12 -03:00
Code Issues Projects Releases Packages Wiki Activity

Update README.md

Browse source
This commit is contained in:
duality084 2023-06-01 19:40:10 -03:00 committed by GitHub
parent 43d5f44f2b
commit 70d87af1f4
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 5 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
README.md
View file

@ -17,7 +17,7 @@ So, I decided to try something sneaky by adding a ";" character to my command. I
![image](https://github.com/duality084/CVE-2023-33381-MitraStar-GPT-2741GNAC/assets/7117259/d9c780f9-649e-49a7-bb19-305abff583db) ![image](https://github.com/duality084/CVE-2023-33381-MitraStar-GPT-2741GNAC/assets/7117259/d9c780f9-649e-49a7-bb19-305abff583db)
So, I decided to try something sneaky by adding a ";" character to my command. I executed "cat /etc/passwd" and guess what? The command ran successfully. I took it a step further and executed the "sed" command to replace the restricted shell entry in the "/etc/passwd" file with a full interactive shell.
![image](https://github.com/duality084/CVE-2023-33381-MitraStar-GPT-2741GNAC/assets/7117259/729a7bf7-118b-4146-a2ec-3de32de9487e) ![image](https://github.com/duality084/CVE-2023-33381-MitraStar-GPT-2741GNAC/assets/7117259/729a7bf7-118b-4146-a2ec-3de32de9487e)
@ -26,11 +26,15 @@ As clearly illustrated in the image below, the modifications I made have enabled
![image](https://github.com/duality084/CVE-2023-33381-MitraStar-GPT-2741GNAC/assets/7117259/8ee5c6ba-b4c6-4a3f-829a-ebeb5945f18b) ![image](https://github.com/duality084/CVE-2023-33381-MitraStar-GPT-2741GNAC/assets/7117259/8ee5c6ba-b4c6-4a3f-829a-ebeb5945f18b)
### Root of cause ### Root of cause
Since I had complete admin privileges, I couldn't resist delving deeper to uncover the vulnerable component. While inspecting the browser requests, I noticed something interesting. There were two CGI files, "ping.cgi" and "DiagGeneral.cgi", being targeted by the requests.
![image](https://github.com/duality084/CVE-2023-33381-MitraStar-GPT-2741GNAC/assets/7117259/4c9bd5c9-c71b-4d04-b0b1-718195067902) ![image](https://github.com/duality084/CVE-2023-33381-MitraStar-GPT-2741GNAC/assets/7117259/4c9bd5c9-c71b-4d04-b0b1-718195067902)
After grabbing the files, I had some fun with reverse engineering using Ghidra. Here's the interesting part: in the "ping.cgi" file, I noticed that the **PingIPAddr** parameter was being directly taken from user input without any proper sanitization. The **PingIPAddr** parameter grabbed from user input was stored for future use utilizing the **tcapi_set** function.
![image](https://github.com/duality084/CVE-2023-33381-MitraStar-GPT-2741GNAC/assets/7117259/1ce7c0ff-8964-4934-a5a2-1cf96990c20b) ![image](https://github.com/duality084/CVE-2023-33381-MitraStar-GPT-2741GNAC/assets/7117259/1ce7c0ff-8964-4934-a5a2-1cf96990c20b)
Lastly, in the DiagGeneral.cgi file the PingIPAddr parameter was retrieved using the **tcapi_get** function and then directly used in the **system** function without any sanitization. This flaw creates a command injection vulnerability, enabling unauthorized execution of arbitrary commands on the system.
![image](https://github.com/duality084/CVE-2023-33381-MitraStar-GPT-2741GNAC/assets/7117259/a02e6faf-adc3-4da9-9efa-abc58f601a4f) ![image](https://github.com/duality084/CVE-2023-33381-MitraStar-GPT-2741GNAC/assets/7117259/a02e6faf-adc3-4da9-9efa-abc58f601a4f)