Four vulnerabilities have been identified in the components of the Realtek SDK, which is used by various manufacturers of wireless devices in their firmware, allowing an unauthenticated attacker to remotely execute code on a device with elevated privileges. The issues are estimated to affect at least 200 device models from 65 different vendors, including various wireless router models from Asus, A-Link, Beeline, Belkin, Buffalo, D-Link, Edison, Huawei, LG, Logitec, MT-Link, Netgear , Realtek, Smartlink, UPVEL, ZTE and Zyxel.
The problem spans various classes of wireless devices based on the RTL8xxx SoC, from wireless routers and Wi-Fi amplifiers, to IP cameras and smart lighting control devices. Devices based on RTL8xxx chips use an architecture that implies the installation of two SoCs - the first one installs the manufacturer's firmware based on Linux, and the second one runs a separate stripped-down Linux environment with the implementation of access point functions. The filling of the second environment is based on typical components provided by Realtek in the SDK. These components, among other things, process data received as a result of sending external requests.
The vulnerabilities affect products that use Realtek SDK v2.x, Realtek "Jungle" SDK v3.0-3.4, and Realtek "Luna" SDK up to version 1.3.2. The fix has already been released in the Realtek "Luna" SDK 1.3.2a update, and patches for the Realtek "Jungle" SDK are also in the pipeline. There are no plans to release fixes for Realtek SDK 2.x, as this branch has already been discontinued. For all vulnerabilities, working prototypes of exploits are provided, allowing you to achieve the execution of your code on the device.
Identified vulnerabilities (the first two are assigned a severity level of 8.1, and the rest - 9.8):
- CVE-2021-35392 - Buffer overflow in mini_upnpd and wscd processes implementing "WiFi Simple Config" functionality (mini_upnpd processes SSDP packets, while wscd, in addition to supporting SSDP, handles HTTP-based UPnP requests). An attacker can achieve the execution of his code by sending specially crafted UPnP "SUBSCRIBE" requests with an oversized port number in the "Callback" field. SUBSCRIBE /upnp/event/WFAWLANConfig1 HTTP/1.1 Host: 192.168.100.254:52881 Callback: NT:upnp:event
- CVE-2021-35393 is a vulnerability in the "WiFi Simple Config" handlers that manifests itself when using the SSDP protocol (uses UDP and a request format similar to HTTP). The problem is caused by the use of a fixed buffer, 512 bytes in size, when processing the "ST:upnp" parameter in M-SEARCH messages sent by clients to determine the presence of services on the network.
- CVE-2021-35394 is a vulnerability in the MP Daemon process responsible for performing diagnostic operations (ping, traceroute). The problem allows substitution of own commands due to insufficient checking of arguments when executing external utilities.
- CVE-2021-35395 is a series of vulnerabilities in web interfaces based on the /bin/webs and /bin/boa http servers. In both servers, typical vulnerabilities were identified, caused by the lack of argument checking before starting external utilities with the system () function. The differences come down only to using different APIs to attack. Both handlers did not include protection against CSRF attacks and the "DNS rebinding" technique, which allows organizing the sending of requests from the external network while restricting access to the interface only for the internal network. Processes also defaulted to the predefined supervisor/supervisor account. In addition, several stack overflows were detected in the handlers, which manifest themselves when sending arguments that are too large. POST /goform/formWsc HTTP/1.1 Host: 192.168.100.254 Content-Length: 129 Content-Type: application/x-www-form-urlencoded submit-url=%2Fwlwps.asp&resetUnCfg=0&peerPin=12345678;ifconfig>/tmp/1 ;&setPIN=Start+PIN&configVxd=off&resetRptUnCfg=0&peerRptPin=
- Additionally, several more vulnerabilities have been identified in the UDPServer process. As it turned out, one of the problems was already discovered by other researchers back in 2015, but was not completely fixed. The problem is caused by the lack of proper validation of the arguments passed to the system() function and can be exploited by sending a string like 'orf;ls' to network port 9034. In addition, a buffer overflow was detected in UDPServer due to the insecure use of the sprintf function, which can also be used to perform attacks.
Source: opennet.ru