# Talos Vulnerability Report
### TALOS-2022-1641
## FreshTomato httpd logs/view.cgi OS command injection vulnerability
##### January 26, 2023
##### CVE Number
CVE-2022-42484
##### SUMMARY
An OS command injection vulnerability exists in the httpd logs/view.cgi functionality of FreshTomato 2022.5. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability.
##### CONFIRMED VULNERABLE VERSIONS
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
FreshTomato 2022.5
Siretta QUARTZ-GOLD G5.0.1.5-210720-141020
AdvancedTomato commit 67273b0
##### PRODUCT URLS
FreshTomato – QUARTZ-GOLD –
##### CVSSv3 SCORE
9.1 – CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
##### CWE
CWE-78 – Improper Neutralization of Special Elements used in an OS Command (âOS Command Injectionâ)
##### DETAILS
FreshTomato is an open source firmware based on linux. The firmware offers several features for Broadcom-based routers.
The FreshTomatoâs httpd component offers several APIs. One is called `logs/view.cgi` and is used to query/view the log files.
One of the functions responsible for performing this API is `wo_viewlog`:
void wo_viewlog(char *url)
{
char *p;
char *c;
char s[128];
char t[128];
int n;
char lfn[256];
if (!logok())
return;
get_logfilename(lfn);
if ((p = webcgi_get(“find”)) != NULL) { [1]
send_header(200, NULL, mime_plain, 0);
if (strlen(p) > 64)
return;
c = t;
while (*p) {
switch (*p) {
case ”:
case ‘|’:
case ‘”‘:
case ‘\’:
*c++ = ‘\’;
*c++ = *p;
break;
default:
if (isprint(*p))
*c++ = *p;
break;
}
++p;
}
*c = 0;
snprintf(s, sizeof(s), “grep -ih “%s” $(ls -1rv %s %s.*)”, t, lfn, lfn); [2]
web_pipecmd(s, WOF_NONE); [3]
return;
}
if ((p = webcgi_get(“which”)) == NULL)
return;
if (strcmp(p, “all”) == 0)
n = MAX_LOG_LINES;
else if ((n = atoi(p)) ” $(ls -1rv .*)`, which will be used at `[3]` for the `web_pipecmd` function that will call the `popen` function and print out the results.
Because no real sanitization is performed against the `find` parameter, this function is vulnerable to a command injection vulnerability and can lead to arbitrary command execution.
##### TIMELINE
2022-10-19 – Vendor Disclosure
2022-11-08 – Vendor Patch Release
2023-01-26 – Public Release
##### Credit
Discovered by Francesco Benvenuto of Cisco Talos.
* * *
Vulnerability Reports Next Report
TALOS-2022-1642
Previous Report
TALOS-2022-1617Read More