漏洞平台

POC详情： 657e0132fb75c6a72f25f6923a27142b7938485a

来源

https://github.com/Dodge-MPTC/CVE-2023-31446-Remote-Code-Execution

关联漏洞

标题： Cassia Networks Gateway 安全漏洞 (CVE-2023-31446)
描述：Cassia Networks Gateway是Cassia Networks公司的一个物联网网关。 Cassia Networks Gateway XC1000_2.1.1.2303082218版本、XC2000_2.1.1.2303090947版本存在安全漏洞，该漏洞源于/bypass/config中的queueUrl参数未清理。

描述

Repository contains description for CVE-2023-31446

介绍

# CVE-2023-31446-Remote-Code-Execution
Repository contains description for CVE-2023-31446 discovered by Dodge Industrial Team for Dodge OPTIFY platfrom.
___  
CVE ID: CVE-2023-31446  
Vendor: Cassia Networks    
Product: Cassia Gateway Firmware  
Version: <2.1.1.230309*
___
Vulnerability: Remote Code Execution/Remote Code Injection  
Affected: gateways  
Decription: *queueUrl* parameter in */bypass/config* is not sanitized. This leads to injecting bash code and executing it with root privileges on device startup.  
Status: Confirmed by vendor, Fixed  
Version Patched: 2.1.1.230720*
____
#### Details
Cassia has implemented in the past function that allows Gateways to push bluetooth scan data to the SQS Amazon Services.  
The settings for mentioned functionality could be set by API endpoint:
> http://<ip>/bypass/config?type=sqs&keyId=<"keyId">&key=<"keysecret">&queueUrl=<"queueServiceUrl">  

Based on the investigation the SQS feature starts the service on the boot time of the device.  
Service loads configuration file, where mentioned endpoint overwrite the settings.  
Service after loading specified URL runs nslookup from root bash perspective what allows to run any command embeded into URL parameter.  
The access to the endpoint is not authenticated by default. More of that the feature was not described in the official Cassia documentation.
____
#### Exploitation

Attacker can embed bash command ${id} into *queueUrl* parameter:
![query](img/1.png)  

After rebooting device, gateway will run the command with root privileges (look A,AAA query):
![capture](img/2.png)  

##### *Note that gateway used linux device as gateway for easier capturing network flow and evidences*
Gateway -> Default Gateway (Linux) -> Internet

#### Remediation
- Enable and require API authentication (if possible in your version)
- Monitor traffic to gateway API
- Patch to the highest possible version availaible on [Cassia Networks](https://www.cassianetworks.com/)

文件快照


 [4.0K]  /data/pocs/657e0132fb75c6a72f25f6923a27142b7938485a
├── [4.0K]  img
│   ├── [ 36K]  1.png
│   └── [ 90K]  2.png
└── [1.9K]  README.md

1 directory, 3 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。