8.8 CVE-2023-1389

CISA Kev Catalog RCE Path Traversal Exploit
 

TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 contained a command injection vulnerability in the country form of the /cgi-bin/luci;stok=/locale endpoint on the web management interface. Specifically, the country parameter of the write operation was not sanitized before being used in a call to popen(), allowing an unauthenticated attacker to inject commands, which would be run as root, with a simple POST request.
https://nvd.nist.gov/vuln/detail/CVE-2023-1389

Categories

CWE-77 : Improper Neutralization of Special Elements used in a Command ('Command Injection')
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. an attack-oriented phrase for this weakness. Note: often used when "OS command injection" (CWE-78) was intended. Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) If at all possible, use library calls rather than external processes to recreate the desired functionality. If possible, ensure that all external commands called from the program are statically created. Run time: Run time policy enforcement may be used in an allowlist fashion to prevent use of any non-sanctioned commands. Assign permissions that prevent the user from accessing/opening privileged files. injection of sed script syntax ("sed injection") API service using a large generative AI model allows direct prompt injection to leak hard-coded system prompts or execute other prompts. anti-spam product allows injection of SNMP commands into confiuration file image program allows injection of commands in "Magick Vector Graphics (MVG)" language. Python-based dependency management tool avoids OS command injection when generating Git commands but allows injection of optional arguments with input beginning with a dash (CWE-88), potentially allowing for code execution. Canonical example of OS command injection. CGI program does not neutralize "|" metacharacter when invoking a phonebook program. Chain: improper input validation (CWE-20) in username parameter, leading to OS command injection (CWE-78), as exploited in the wild per CISA KEV. injection of sed script syntax ("sed injection") injection of sed script syntax ("sed injection")

References

vulnreport@tenable.com Exploit


 

CPE

cpe start end
Configuration 1
AND
   cpe:2.3:o:tp-link:archer_ax21_firmware:*:*:*:*:*:*:*:* < 1.1.4
  Running on/with
  cpe:2.3:h:tp-link:archer_ax21:-:*:*:*:*:*:*:*


REMEDIATION




EXPLOITS


Exploit-db.com

id description date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
http://packetstormsecurity.com/files/174131/TP-Link-Archer-AX21-Command-Injec...
https://www.tenable.com/security/research/tra-2023-11


CAPEC


Common Attack Pattern Enumerations and Classifications

id description severity
136 LDAP Injection
High
15 Command Delimiters
High
183 IMAP/SMTP Command Injection
Medium
248 Command Injection
High
40 Manipulating Writeable Terminal Devices
Very High
43 Exploiting Multiple Input Interpretation Layers
High
75 Manipulating Writeable Configuration Files
Very High
76 Manipulating Web Input to File System Calls
Very High