# CVE-2023-33381-MitraStar-GPT-2741GNAC

### CVE-2023-33381: OS command injection on MitraStar GPT-2741GNAC
### Device: GPT-2741GNAC
### Firmware Version: AR_g5.8_110WVN0b7_2
### Vulnerability Description:

Upon logging in via SSH, I immediately noticed the limited set of available commands and options. It became evident that I was indeed confined to a restricted shell environment.

![image](https://github.com/duality084/CVE-2023-33381-MitraStar-GPT-2741GNAC/assets/7117259/0f01e2ee-59ed-49f2-b195-be4dcd52f90e)

After exploring several known vulnerabilities, I decided to delve into the search for new ones. To begin, I logged into the administrative portal and began testing various functionalities that could potentially result in OS command injection. Within the Diagnostic menu, I came across a particular feature that allowed me to test connectivity using the ping and traceroute commands.

![image](https://github.com/duality084/CVE-2023-33381-MitraStar-GPT-2741GNAC/assets/7117259/c1b96b7b-a7bb-45cd-b09e-eceab420a56e)

![image](https://github.com/duality084/CVE-2023-33381-MitraStar-GPT-2741GNAC/assets/7117259/825c7f40-e1a4-4ae8-adac-23c3cf8a0090)

So, I decided to try something sneaky by adding a ";" character to my command. I executed "cat /etc/passwd" and guess what? The command ran successfully.

![image](https://github.com/duality084/CVE-2023-33381-MitraStar-GPT-2741GNAC/assets/7117259/fb3f10b8-e877-4931-892d-6fb7c416439b)

I took it a step further and executed the "sed" command to replace the restricted shell entry in the "/etc/passwd" file with a full interactive shell.

![image](https://github.com/duality084/CVE-2023-33381-MitraStar-GPT-2741GNAC/assets/7117259/2cbafaf1-c2e2-471d-9581-34498d2c6a24)

As clearly illustrated in the image below, the modifications I made have enabled me to login and freely execute commands like "uname" and "cat"

![image](https://github.com/duality084/CVE-2023-33381-MitraStar-GPT-2741GNAC/assets/7117259/bc493a85-545c-4053-bd9a-711f029f0bde)

### Root of cause
Since I had complete admin privileges, I couldn't resist delving deeper to uncover the vulnerable component. While inspecting the browser requests, I noticed something interesting. There were two CGI files, "ping.cgi" and "DiagGeneral.cgi", being targeted by the requests.

![image](https://github.com/duality084/CVE-2023-33381-MitraStar-GPT-2741GNAC/assets/7117259/604ea667-e64d-47a3-95df-3306d1dd0c21)

After grabbing the files, I had some fun with reverse engineering using Ghidra. Here's the interesting part: in the "ping.cgi" file, I noticed that the **PingIPAddr** parameter was being directly taken from user input without any proper sanitization. The **PingIPAddr** parameter grabbed from user input was stored for future use utilizing the **tcapi_set** function.

![image](https://github.com/duality084/CVE-2023-33381-MitraStar-GPT-2741GNAC/assets/7117259/9566b95f-ce01-4662-aaea-0996ff0a3802)

Lastly, in the DiagGeneral.cgi file the PingIPAddr parameter was retrieved using the **tcapi_get** function and then directly used in the **system** function without any sanitization. This flaw creates a command injection vulnerability, enabling unauthorized execution of arbitrary commands on the system.

![image](https://github.com/duality084/CVE-2023-33381-MitraStar-GPT-2741GNAC/assets/7117259/3ed8eb1f-dcc3-47b3-9f5d-9b814485ca57)