return
Recently a new vulnerability affecting NR1800X Routers (CVE-2022-41525) appeared. In particular, it affects version V9.1.0u.6279_B20210910. Seeking to understand the context of such vulnerability, we can proceed to do some tests, such as emulating the firmware and running some scripts in Ghidra to identify other potentially dangerous functions that allow code execution or buffer overflow. As a result, we get a large list of functions that we can identify as promising (such as strcpy, system, sprintf, and others).
In this case we will focus specifically on the function whose status is highlighted in red (see image) with address 0x0041a68c, which points to the function containing the vulnerability.
After running a pre-analysis with scripts (Ghidra) we continue analyzing the cstecgi.cgi binary in IDA. It should be noted that the use of multiple tools is just for convenience. We start then with the static analysis on function 0x0041a68c, where we can quickly see the vulnerability in buffer v17 being formatted on line 26 and then sent as a parameter to the system() function which executes the string. This can be seen below:
In order to advance in the process and go into more detail, we will see how the parameters are passed to memory, debugging the firmware in system mode and with a dynamic analysis. As a first step we place a breakpoint in the websGetVar() function that is responsible for obtaining the values sent in the body of the request. In this case, it validates that the value sent is ussd.
The string is then formatted with snprintf() and stored in buffer 0x7fff5230.
Here we can see what the formatted string finally looks like in the buffer.
Finally, the call to the system() function is made with the buffer as parameter.
For the command execution to be possible, it is necessary to identify the setUssd name that triggers the action, with this we can recreate a payload to start the telnetd service on the router.
Considering all this, it is possible to develop an exploit by concatenating two vulnerabilities. The first one corresponding to a request to bypass authentication, which causes the session to be sent to the second request, which is the one that exploits the execution of the code itself. The final exploit can be seen in the following image.
To see it in action in real time, we invite you to watch the following video, where it is done in just a few seconds.
As we often find, it is always possible to find new vulnerabilities in systems that have already been analyzed. While all manufacturers and equipment may be vulnerable at some point, in some cases, such as this one where the brand claims to have "The Smartest Network Devices", we can refer to "Hypponen's Law", which is always worth remembering: "If it's advertised as smart, it's vulnerable"
