LOAD:00409B9C jalr $t9 ATP_WEB_SendFileĪs we can see, the web interface use “system” to execute PING command (LOAD:00409B84) and the command is built from the previous “snprintf” (LOAD:00409B6C) call. LOAD:00409B84 jalr $t9 system # call system with previous snprintf result LOAD:00409B6C jalr $t9 snprintf # call snprintf(ping %s., ) LOAD:00409B5C la $a2, aPingSC4VarPing # "ping %s -c 4 > /var/pingres.txt" Thanks to reverse engineering techniques we were able to identify the snippet of code that performs this action: The vulnerable function is used to check if a domain/IP is reachable. The router is affected by a “Command Injection” vulnerability located in the web-panel allowing an authenticated user to obtain a root access to the system. Shodan.io dork: “Content-Length: 10814” “no-cache” org:”Wind” The model HG532s is distributed in Italy since 2012 by Wind-Infostrada and it is still in use. Shodan.io dork: “Content-Length: 11881” “no-cache” org:”Cable & Wireless Panama”. The model HG532e is used in Panama by “Cable & Wireless Panama”. Huawei HG532* are wireless home gateways for home or office ADSL. # Authors: Raffaele Forte, Andrea Ferraris
0 Comments
Leave a Reply. |