Vulnerability examples
Many IoT devices such as dual-mode routers, IP cameras, and door locks provide their management services, such as providing information or changing settings, through web pages using HTTP. These management pages come from CGI files that are already compiled into the firmware. These CGI files, when needed as specific inputs in the login process, are the tools mentioned above.
http://192.168.1.1/cgi-bin/startmenu.cgi?nameuser=main&start=main
When the user goes to the Administrator setting page, the CGI page calls the above link where it specifies the value entered in the parameter value. The above can be passed to the system function and executed.
These argument values go to the system and make the system provide information, the attacker goes through some of the vulnerabilities and uses them to change the device's functionality using a shell like system() function, and inserts arbitrary commands into the vulnerable argument value. This is the command injection attack method
If the parameter value of Command Injection uses an argument of the system() function, you should be very careful because the command is outputted with system() of special data.
For example, the following diagram shows how to receive and process the name_user value through the CGI output of the req_get_cstream_var() function.
That name_user value consists of %s part of “ipupdate -i eth1 -S gnuip -u %s:%s” and then the command copy device memory through sprintf()function
The command copied through the above process is passed to the system() function and executed as a system command as shown in figure below
However, as is done above, the command is executed as a system command (the command is executed as a system command). The attack may include special characters such as; (memicolon), | ( channel ), $ ( Dollar ), etc. to execute the desired command.
To deal with this, there must be a verification function for the input value. However, be careful because attackers often bypass and attack through unwritten special characters by putting special characters in the verification function.
sprintf((char *)&v1, “%s”, a1, “/tmp/log”);
system((char *)&v1);
// If there is no input value validation for v1, the attacker can execute the desired command
When validating special characters, the special characters section should be checked without filtering, and the empty bypass lines should be disabled as shown in the following procedure.
How to stop/fix or resolve this issue:
- When receiving a user input value, a method of checking whether the corresponding string matches the string used for command injection is required.
- To avoid arbitrary command execution vulnerabilities in input values, it requires filtering for special characters, and bypassing spaces, etc. is required.
- Special Characters: (semicolon) | (pipes), $ (dollars), () (parentheses), ` (backquarters), <, > (angle brackets), \ (backslash), \n (newline), LF, CR, etc.
Bypass white space (URL encoding) : (), /**/, +, %09(\t), %0a(\n), %0b, %c, %0d(\r), %a0,20% et
Be sure that if only part of the control is done, the attack(s) can be bypassed by unknown means.
Since it can be misused in the cgi used for logout, it is necessary to check the argument values that can be used in the cgi logout and check the user session of the user when requesting the logout.