With this knowledge Richards was able to add a netcat reverse tcp shellcode and get a shell. This could have easily been prevented by also neutralizing $ or ( individually. This allows us to set $() by inputting $\(). But, in the case of \ it is simply removed from the payload subsequent to verification. If any of the disallowed characters or $( is in the object, the object is not set and keeps its previous value. However, there is still a flaw in the verification. This implies that the developer was intentionally trying to prevent command injection this way. That was promising, but when paired into $( it was neutralized. While testing options to achieve shell script command injection, the researcher found that $ is accepted. This vulnerability will be listed under CVE-2022-45701. The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. They could run the exploit to gain a root shell and try to patch it from there but this is by no means a simple solution.” The vulnerability A more desirable form of mitigation would be to change the firmware completely but as you said providers are lax about pushing updates and there is no easy way for an end user to do this themselves. “As for mitigation, an easy and effective way is to simply use a strong password, but still this does not stop an attacker from eavesdropping on the unprotected traffic containing the password or even manipulating the browser to gain access. Since we do not expect the vendor or the ISPs to patch this vulnerability, we asked the researcher for his advice. I think this makes it a perfect target for botnets like Mirai that gained success using default credentials, and more experienced attackers may have more clever ways to circumvent this.” How to protect yourself Richards added: “It is also worth noting that there is no https setting to secure credentials in transit. So once an attacker knows the default credentials, they can happily exploit the vulnerability. However, it's likely that a majority of users haven't changed their default router credentials, because it is too complicated or they simply are not told clear enough that this is a necessary step in the setup process. AuthenticatedĪn authenticated RCE means an attacker would need login credentials in order to exploit the vulnerability. This means that they are unlikely to ever get updated, even though the SBG10 is actively listed on its website. The Arris Router Firmware version 9.1.103 authenticated RCE exploit has been tested against the TG2482A, TG2492, and SBG10 models, devices that can be commonly found in the Caribbean and Latin America, says Richards.Īccording to Richards, when he contacted Arris (acquired by CommScope), the company said the devices running the vulnerable firmware are end-of-life (EOL) and are no longer supported by the company. This is the type of router that ISPs typically provide in loan for customers’ telephony and internet access.Īfter responsible disclosure Richards has published a Proof-of-Concept (PoC) that demonstrates how he, ironically used the verification against itself. Security researcher Yerodin Richards has found an authenticated remote code execution (RCE) vulnerability in Arris routers.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |