Introduction

With the recent release of our binary zero-day identification feature, we wanted to demonstrate what it would look like, when applied in a variant analysis approach.

The research team spotted a Synacktiv blog post and immediately launched an analysis on Cisco WAP321 to see if we could find other vulnerabilities or simple variants of what was initially reported by them.

After a few minutes, the results were in. We identified 2 format string vulnerabilities, 160 stack buffer overflows, and 25 command injections. All of these paths are valid and unique but corresponds to a variation of the same vulnerability repeated over and over again.

For device manufacturers, having such capabilities will not only empower your PSIRT team to quickly assess bug reports but also enhance their ability to identify variations of reported bugs, thereby maximizing the impact of vulnerability fixes. Consequently, this will reduce the risk of cybercriminals, state-sponsored attackers, and opportunistic security researchers exploiting variations of reported and resolved issues.

Remote Command Execution

Affected vendor & productCisco Small Business 100, 300, and 500 Series Wireless APsVendor Advisoryhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-wap-multi-85G83CRBVulnerable versionALLFixed versionN/ACVE IDsCVE-2024-20335Impact (CVSS)CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:NCreditQ. Kaiser, ONEKEY Research Lab
Research supported by Certainity

Summary

The firmware version 1.3.0.7 of Cisco Access Point WAP371 is affected by a vulnerability allowing privileged and unprivileged users to execute commands on the system hosting the web service.

Impact

By successfully exploiting this vulnerability, remote authenticated attackers could gain remote command execution on the appliance with elevated privileges.

Description

One source of command injections is the use of unsanitized user input in tftp commands. Instead of reusing a unique TFTP handling function, this function is repeated for each and every feature needing TFTP.

For example, the pcap_download_handler feature will get the update.device.packet-capture.tftp-file-name parameter from the request:

And feed it right to the following command:

Similar behavior is observed for 16 of our reported issues, corresponding to 8 paths multiplied by 2 vulnerable parameters (the TFTP server parameter, and the fetched filename parameter).

Other examples of command injections include the Access Point management feature where authenticated users can define MAC address filtering. By injecting a command into the grantedMac request parameter, they could gain remote command execution:

Another one involves the setup wizard where a malicious user could gain remote command execution by injecting a payload in the wiz-manual-time-string request parameter holding the date setting of the access point:

Recommendation

This product being EOL, Cisco will not patch the vulnerability. If replacement of the EOL device is not possible, ensure access to the administration interface is restricted to administration network zones only, to reduce likelihood of exploitation.

Format String

Affected vendor & productCisco Small Business 100, 300, and 500 Series Wireless APsVendor AdvisoryTBAVulnerable versionALLFixed versionN/ACVE IDsTBDImpact (CVSS)CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:NCreditQ. Kaiser, ONEKEY Research Lab
Research supported by Certainity

Summary

The firmware version 1.3.0.7 of Cisco Access Point WAP371 is affected by a vulnerability allowing privileged and unprivileged users to execute commands on the system hosting the web service.

Impact

By successfully exploiting this vulnerability, remote authenticated attackers could gain arbitrary code execution on the appliance with elevated privileges.

Description

This is one of the funniest bugs of this device. The download.cgi allows authenticated users to pull logs from the device. Logs are either system logs pulled with the  /splashbin/get log-entry > /tmp/logs.txt command or rogue access points logs created by the RogueAP agent and saved to /tmp/rogueap_knownlist_export.txt.

To provide the logs, the CGI script opens the log file and read it line by line. For each line it reads, it sends it back to the HTTP client by using printf. See where this is going ?

So, if you can poison the system logs with a format operator (e.g. %p, %x), or emit beacon frames in the vicinity of that device with an SSID holding a format operator, you can obtain read-write primitives through format strings when the administrator pulls the logs from the appliance.

Recommendation

This product being EOL, Cisco will not patch the vulnerability. If replacement of the EOL device is not possible, ensure access to the administration interface is restricted to administration network zones only, to reduce likelihood of exploitation.

Stack Buffer Overflow

Affected vendor & productCisco Small Business 100, 300, and 500 Series Wireless APsVendor Advisoryhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-wap-multi-85G83CRBVulnerable versionALLFixed versionN/ACVE IDsCVE-2024-20336Impact (CVSS)CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:NCreditQ. Kaiser, ONEKEY Research Lab
Research supported by Certainity

Summary

The firmware version 1.3.0.7 of Cisco Access Point WAP371 is affected by a vulnerability allowing privileged and unprivileged users to gain arbitrary code execution.

Impact

By successfully exploiting this vulnerability, remote authenticated attackers could gain remote command execution on the appliance with elevated privileges.

Description

All the stack buffer overflows that were detected are

Recommendation

This product being EOL, Cisco will not patch the vulnerability. If replacement of the EOL device is not possible, ensure access to the administration interface is restricted to administration network zones only, to reduce likelihood of exploitation.

Key Takeaways

Our recently introduced binary static analysis feature equips the Product Security Response Team with an invaluable tool for identifying vulnerability variants within product lines. Whether detecting bugs during internal reviews or responding to reports from security researchers, this automated solution will report on every combination of user controlled source to dangerous function call path for known patterns.

With this innovative feature, users gain the confidence that every variant of a specific bug has been identified, all without necessitating access to the source code. Auditors and reversers will find this automated binary static analysis akin to having a diligent intern spot and validate "low hanging fruit" vulnerabilities, allowing them to direct their focus towards more complex issues.

Timeline

• 2024-01-25 –Report submitted to Cisco PSIRT, a case is opened.
• 2024-01-29 –Case is picked up by analysts, investigation starts.
• 2024-01-31 –Analysts mention the device is end-of-life but they still plan on releasing an advisory on March 6th.
• 2024-03-06 –Coordinated advisory release.
• 2024-03-06 –Release Cisco advisory.
• 2024-03-18 –Release ONEKEY advisory.