# Talos Vulnerability Report
### TALOS-2022-1577
## Robustel R1510 js_package install OS command injection vulnerability
##### October 14, 2022
##### CVE Number
CVE-2022-33150
##### SUMMARY
An OS command injection vulnerability exists in the js_package install functionality of Robustel R1510 3.1.16. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger this vulnerability.
##### CONFIRMED VULNERABLE VERSIONS
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Robustel R1510 3.1.16
##### PRODUCT URLS
R1510 –
##### CVSSv3 SCORE
9.1 – CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
##### CWE
CWE-78 – Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)
##### DETAILS
The R1510 is an industrial cellular router. It offers several advanced software features like an innovative use of Open VPN, Cloud management, data over-use guard, smart reboot and others.
The R1510s web_server provides a functionality to add Nodejs app. This functionality is a three step process. First the `/action/import_nodejs_app/` API is used to actually import the Nodejs app into the router. Then the `/ajax/system_nodejs_app_upgrade_start/` API is used to start the installation process. Indeed, this API will finally call the `js_package` package binary with the command `install`.
Here is the relevant code of the `/action/import_nodejs_app/` API:
void /action/import_nodejs_app/(Webs *webs)
{
[…]
next_file = (WebsKey *)hashFirst(webs->files);
pcVar5 = file_path;
for (; next_file != (WebsKey *)0x0; next_file = (WebsKey *)hashNext(webs->files,next_file))
{
WebsUpload = (next_file->content).WebsUpload;
[…]
file_path = (char *)sfmt(“%s/%s”,”/tmp/upload”,WebsUpload->clientFilename);
pcVar3 = (char *)rename(WebsUpload->filename,file_path);
if (pcVar3 == (char *)0xffffffff) {
[…]
}
else {
FILENAME = string_clone(file_path);
}
}
}
[…]
This function will import the requests uploaded file and set the global `FILENAME` variable with the value `/tmp/upload/clientFilename>` where `WebsUpload->clientFilename` is the filename provided in the multipart request.
To start the installation process of the uploaded app, the `/ajax/system_nodejs_app_upgrade_start/` API must be called.
Here is the relevant part of the `/ajax/system_nodejs_app_upgrade_start/` API:
undefined4 /ajax/system_nodejs_app_upgrade_start/(Webs *webs)
{
[…]
command_array[0] = “js_package”;
command_array[1] = “install”;
command_array[2] = FILENAME;
command_array[3] = (char *)0x0;
_eval(command_array,0,0,&pid);
[…]
}
This function, eventually, will execute the `js_package install ` command. The `js_package` binary is responsible for actually performing the installation.
The `js_package` code:
int js_package(int argc,undefined4 *argv)
{
[…]
command = (char *)argv[1];
is_install = strncmp(command,”install”,7);
if (is_install == 0) {
[…]
filename = (char *)argv[2];
extension = strrchr(filename,L’.’);
if (extension == (char *)0x0) {
[…]
}
else {
extension_after_dot = extension + 1;
[…]
is_extension_tar = strncmp(extension_after_dot,”tar”,3);
if (is_extension_tar == 0) {
command = “tar xf %s -C %s”;
[…]
sysprintf(command,filename,”/app/node-js-app/tmp”); [1]
[…]
}
This function, if the `FILENAME` ends with `.tar`, will perform the `sysprintf` function. This function will execute the `vsnprintf` function with the provided arguments, then use the output as argument for the `system` function. So, at `[1]`, the command `tar xf -C /app/node-js-app/tmp` will be executed. Because `filename` is the same `FILENAME` specified in `/action/import_nodejs_app/`, this function is vulnerable to a command injection.
##### TIMELINE
2022-07-13 – Vendor Disclosure
2022-10-14 – Public Release
##### Credit
Discovered by Francesco Benvenuto of Cisco Talos.
* * *
Vulnerability Reports Next Report
TALOS-2022-1578
Previous Report
TALOS-2022-1579Read More