Introduction 介绍
With the recent release of our binary zero-day identification feature, we wanted to demonstrate what it would look like, when applied in a variant analysis approach.
随着我们最近发布的二进制零日识别功能,我们想演示它在变体分析方法中应用时会是什么样子。
The research team spotted a Synacktiv blog post and immediately launched an analysis on Cisco WAP321 to see if we could find other vulnerabilities or simple variants of what was initially reported by them.
研究团队发现了Synacktiv的一篇博客文章,并立即对Cisco WAP321进行了分析,看看我们是否能找到其他漏洞或他们最初报告的简单变体。
After a few minutes, the results were in. We identified 2 format string vulnerabilities, 160 stack buffer overflows, and 25 command injections. All of these paths are valid and unique but corresponds to a variation of the same vulnerability repeated over and over again.
几分钟后,结果出来了。我们发现了 2 个格式字符串漏洞、160 个堆栈缓冲区溢出和 25 个命令注入。所有这些路径都是有效且唯一的,但对应于同一漏洞的变体,一遍又一遍地重复。
For device manufacturers, having such capabilities will not only empower your PSIRT team to quickly assess bug reports but also enhance their ability to identify variations of reported bugs, thereby maximizing the impact of vulnerability fixes. Consequently, this will reduce the risk of cybercriminals, state-sponsored attackers, and opportunistic security researchers exploiting variations of reported and resolved issues.
对于设备制造商来说,拥有此类功能不仅可以使 PSIRT 团队能够快速评估错误报告,还可以增强他们识别所报告错误变体的能力,从而最大限度地提高漏洞修复的影响。因此,这将降低网络犯罪分子、国家支持的攻击者和机会主义安全研究人员利用报告和已解决问题的变体的风险。
Remote Command Execution
远程命令执行
| Affected vendor & product 受影响的供应商和产品 |
Cisco Small Business 100, 300, and 500 Series Wireless APs 思科S系列100、300和500系列无线AP |
| Vendor Advisory 供应商咨询 | https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-wap-multi-85G83CRB |
| Vulnerable version 易受攻击的版本 | ALL |
| Fixed version 固定版本 | N/A |
| CVE IDs CVE ID | CVE-2024-20335 CVE-2024-20335 漏洞 |
| Impact (CVSS) 影响 (CVSS) | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N |
| Credit 信用 | Q. Kaiser, ONEKEY Research Lab Q. Kaiser,ONEKEY研究实验室 Research supported by Certainity Certainity支持的研究 |
Summary 总结
The firmware version 1.3.0.7 of Cisco Access Point WAP371 is affected by a vulnerability allowing privileged and unprivileged users to execute commands on the system hosting the web service.
Cisco Access Point WAP371 的固件版本 1.3.0.7 受到一个漏洞的影响,该漏洞允许特权和非特权用户在托管 Web 服务的系统上执行命令。
Impact 冲击
By successfully exploiting this vulnerability, remote authenticated attackers could gain remote command execution on the appliance with elevated privileges.
通过成功利用此漏洞,经过身份验证的远程攻击者可以使用提升的权限在设备上远程执行命令。
Description 描述
One source of command injections is the use of unsanitized user input in tftp commands. Instead of reusing a unique TFTP handling function, this function is repeated for each and every feature needing TFTP.
命令注入的一个来源是在 tftp 命令中使用未经审查的用户输入。不是重用唯一的 TFTP 处理函数,而是对每个需要 TFTP 的功能重复此函数。
For example, the pcap_download_handler feature will get the update.device.packet-capture.tftp-file-name parameter from the request:
例如,pcap_download_handler 功能将从请求中获取 update.device.packet-capture.tftp-file-name 参数:
And feed it right to the following command:
并将其直接馈送到以下命令:
Similar behavior is observed for 16 of our reported issues, corresponding to 8 paths multiplied by 2 vulnerable parameters (the TFTP server parameter, and the fetched filename parameter).
在我们报告的 16 个问题中观察到类似的行为,对应于 8 个路径乘以 2 个易受攻击的参数(TFTP 服务器参数和 fetched filename 参数)。
Other examples of command injections include the Access Point management feature where authenticated users can define MAC address filtering. By injecting a command into the grantedMac request parameter, they could gain remote command execution:
命令注入的其他示例包括接入点管理功能,经过身份验证的用户可以在其中定义 MAC 地址过滤。通过将命令注入到请求参数中 grantedMac ,他们可以获得远程命令执行:
Another one involves the setup wizard where a malicious user could gain remote command execution by injecting a payload in the wiz-manual-time-string request parameter holding the date setting of the access point:
另一个涉及设置向导,恶意用户可以通过在保存接入点日期设置的 wiz-manual-time-string 请求参数中注入有效负载来获得远程命令执行:
Recommendation 建议
This product being EOL, Cisco will not patch the vulnerability. If replacement of the EOL device is not possible, ensure access to the administration interface is restricted to administration network zones only, to reduce likelihood of exploitation.
本产品为EOL,思科不会修补该漏洞。如果无法更换 EOL 设备,请确保对管理接口的访问仅限于管理网络区域,以减少被利用的可能性。
Format String 格式化字符串
| Affected vendor & product 受影响的供应商和产品 |
Cisco Small Business 100, 300, and 500 Series Wireless APs 思科S系列100、300和500系列无线AP |
| Vendor Advisory 供应商咨询 | TBA |
| Vulnerable version 易受攻击的版本 | ALL |
| Fixed version 固定版本 | N/A |
| CVE IDs CVE ID | TBD |
| Impact (CVSS) 影响 (CVSS) | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N |
| Credit 信用 | Q. Kaiser, ONEKEY Research Lab Q. Kaiser,ONEKEY研究实验室 Research supported by Certainity Certainity支持的研究 |
Summary 总结
The firmware version 1.3.0.7 of Cisco Access Point WAP371 is affected by a vulnerability allowing privileged and unprivileged users to execute commands on the system hosting the web service.
Cisco Access Point WAP371 的固件版本 1.3.0.7 受到一个漏洞的影响,该漏洞允许特权和非特权用户在托管 Web 服务的系统上执行命令。
Impact 冲击
By successfully exploiting this vulnerability, remote authenticated attackers could gain arbitrary code execution on the appliance with elevated privileges.
通过成功利用此漏洞,经过身份验证的远程攻击者可以使用提升的权限在设备上执行任意代码。
Description 描述
This is one of the funniest bugs of this device. The download.cgi allows authenticated users to pull logs from the device. Logs are either system logs pulled with the /splashbin/get log-entry > /tmp/logs.txt command or rogue access points logs created by the RogueAP agent and saved to /tmp/rogueap_knownlist_export.txt.
这是该设备最有趣的错误之一。允许 download.cgi 经过身份验证的用户从设备中提取日志。日志是使用 /splashbin/get log-entry > /tmp/logs.txt 命令拉取的系统日志,也可以是 RogueAP 代理创建并保存到 /tmp/rogueap_knownlist_export.txt 的恶意访问点日志。
To provide the logs, the CGI script opens the log file and read it line by line. For each line it reads, it sends it back to the HTTP client by using printf. See where this is going ?
为了提供日志,CGI 脚本打开日志文件并逐行读取它。对于它读取的每一行,它使用 printf .看看这是怎么回事?
So, if you can poison the system logs with a format operator (e.g. %p, %x), or emit beacon frames in the vicinity of that device with an SSID holding a format operator, you can obtain read-write primitives through format strings when the administrator pulls the logs from the appliance.
因此,如果您可以使用格式运算符(例如 %p , %x )毒害系统日志,或者使用包含格式运算符的 SSID 在该设备附近发出信标帧,则当管理员从设备中提取日志时,您可以通过格式字符串获取读写基元。
Recommendation 建议
This product being EOL, Cisco will not patch the vulnerability. If replacement of the EOL device is not possible, ensure access to the administration interface is restricted to administration network zones only, to reduce likelihood of exploitation.
本产品为EOL,思科不会修补该漏洞。如果无法更换 EOL 设备,请确保对管理接口的访问仅限于管理网络区域,以减少被利用的可能性。
Stack Buffer Overflow 堆栈缓冲区溢出
| Affected vendor & product 受影响的供应商和产品 |
Cisco Small Business 100, 300, and 500 Series Wireless APs 思科S系列100、300和500系列无线AP |
| Vendor Advisory 供应商咨询 | https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-wap-multi-85G83CRB |
| Vulnerable version 易受攻击的版本 | ALL |
| Fixed version 固定版本 | N/A |
| CVE IDs CVE ID | CVE-2024-20336 CVE-2024-20336 漏洞 |
| Impact (CVSS) 影响 (CVSS) | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N |
| Credit 信用 | Q. Kaiser, ONEKEY Research Lab Q. Kaiser,ONEKEY研究实验室 Research supported by Certainity Certainity支持的研究 |
Summary 总结
The firmware version 1.3.0.7 of Cisco Access Point WAP371 is affected by a vulnerability allowing privileged and unprivileged users to gain arbitrary code execution.
Cisco Access Point WAP371 的固件版本 1.3.0.7 受到允许特权和非特权用户执行任意代码的漏洞的影响。
Impact 冲击
By successfully exploiting this vulnerability, remote authenticated attackers could gain remote command execution on the appliance with elevated privileges.
通过成功利用此漏洞,经过身份验证的远程攻击者可以使用提升的权限在设备上远程执行命令。
Description 描述
All the stack buffer overflows that were detected are
检测到的所有堆栈缓冲区溢出都是
Recommendation 建议
This product being EOL, Cisco will not patch the vulnerability. If replacement of the EOL device is not possible, ensure access to the administration interface is restricted to administration network zones only, to reduce likelihood of exploitation.
本产品为EOL,思科不会修补该漏洞。如果无法更换 EOL 设备,请确保对管理接口的访问仅限于管理网络区域,以减少被利用的可能性。
Key Takeaways 关键要点
Our recently introduced binary static analysis feature equips the Product Security Response Team with an invaluable tool for identifying vulnerability variants within product lines. Whether detecting bugs during internal reviews or responding to reports from security researchers, this automated solution will report on every combination of user controlled source to dangerous function call path for known patterns.
我们最近推出的二进制静态分析功能为产品安全响应团队提供了一个宝贵的工具,用于识别产品线中的漏洞变体。无论是在内部审查期间检测错误,还是响应安全研究人员的报告,此自动化解决方案都将报告已知模式的用户控制源到危险函数调用路径的每个组合。
With this innovative feature, users gain the confidence that every variant of a specific bug has been identified, all without necessitating access to the source code. Auditors and reversers will find this automated binary static analysis akin to having a diligent intern spot and validate “low hanging fruit” vulnerabilities, allowing them to direct their focus towards more complex issues.
借助这一创新功能,用户可以确信已识别出特定错误的每个变体,而无需访问源代码。审计人员和反向人员会发现,这种自动化的二进制静态分析类似于让一个勤奋的实习生发现并验证“唾手可得的果实”漏洞,使他们能够将注意力集中在更复杂的问题上。
Timeline 时间线
- 2024-01-25 –Report submitted to Cisco PSIRT, a case is opened.
2024-01-25 –报告已提交给Cisco PSIRT,并已打开案例。 - 2024-01-29 –Case is picked up by analysts, investigation starts.
2024-01-29 – 案件被分析师发现,调查开始。 - 2024-01-31 –Analysts mention the device is end-of-life but they still plan on releasing an advisory on March 6th.
2024-01-31 – 分析师提到该设备已停产,但他们仍计划在 3 月 6 日发布公告。 - 2024-03-06 –Coordinated advisory release.
2024-03-06 – 协调公告发布。 - 2024-03-06 –Release Cisco advisory.
2024-03-06 – 发布思科公告。 - 2024-03-18 –Release ONEKEY advisory.
2024-03-18 – 发布 ONEKEY 公告。
