Command injection Vulnerability Description

Vendor Of The Product: Phicomm K2G

Affected Products and Firmware version: Phicomm K2G v22.6.3.20

Vulnerability: Command injection

Vulnerability description: In the device program code of Phicomm Intelligent Router K2G (firmware version 22.6.3.20), the automatically upgraded parameters are spliced and directly executed to cause command injection vulnerability.

Vulnerability Analysis

Use the programmer to read the Fijian router firmware and use the binwalk to analyze the firmware:

Untitled

After analyzing the unpacked files of the binwalk, it was found that the device was developed in lua language, and the source code of the automatic upgrade function was written in the autoupgrade.lua file, so the code audit was carried out as follows:

  1. When saving the automatic upgrade configuration, the URL:http:// 192.168.2.1/cgi-bin/luci/; Stok = xxxxxx/admin/more_sysset/autoupgrade/save, triggering the save function.

Untitled

  1. Save the automatically upgraded save function is as follows. First, read the autoUpTime and mode parameters of http post request; When mode = 1, turn on the automatic upgrade function, and set the automatic upgrade time according to the autoUpTime parameters. When mode = 0, turn off the automatic upgrade function
  2. The vulnerability is in the code block where the automatic upgrade function is turned on. The input parameters are not filtered. After the parameters are directly spliced, the system is run, resulting in command injection vulnerability.

Untitled

Vulnerability verification

  1. Background management page-> advanced settings-> system settings-> open custom upgrade time: Vulnerability URL(stok value to be replaced): http://192.168.2.1/cgi-bin/luci/;stok=xxxxxx/admin/more_sysset/autoupgrade/
  2. after the package is captured, you can directly see the echo result after the command is executed by splicing the id command:

The Payload is as follows: mode=1&autoUpTime=02%3A05|id

Untitled