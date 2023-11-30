CVE-2023-27992 is a critical unauthenticated command injection on revisions of firmware before V5.21(AAZF.14)C0 for the Zyxel NAS product.

Per the Zyxel advisory, the CVE-2023-27992 is fixed in version V5.21(AAZF.14)C0 of the NAS 326 firmware.

The firmware’s accompanying “Release Note” PDF indicates that potentially two issues were fixed in this revision, while not referencing the CVE directly:

Modification in V5.21(AAZF.14)C0 |June 1 2023

[Bug fix]

– [SI-1480] Zyxel-SI-1480 [Vulnerability] Pre-authentication RCE in NAS326 (also affect NAS540, NAS542).

– [SI-1481] Zyxel-SI-1481 [Vulnerability] Pre-authentication RCE in NAS542 (also affect NAS326, NAS540).

The previous firmware version, V5.21(AAZF.13)C0, was obtained to compare the differences between the two:

V5.21.13 – 521AAZF13C0.bin md5sum 3533ad031f81375399a0858edcc2d7be

V5.21.14 – 521AAZF14C0.bin md5sum ba1b7828ec63b73074cc5885fded6375

Both firmware versions were recursively unpacked with binwalk -e -M, which helpfully located and unpacked a cpio archive and raw ext-2 filesystem in each:

./V5.21.14/_521AAZF14C0.bin-0.extracted/_68DB.extracted/845958.cpio

md5sum af5c31779d90728b91330f46c3396a61

./V5.21.13/_521AAZF13C0.bin-0.extracted/_68DB.extracted/845958.cpio

md5sum a74ea55986ee0ea2eb2b96a74912863c

./V5.21.14/_521AAZF14C0.bin-0.extracted/_736FDA.extracted/0.ext2

md5sum e303ec97af1e7146e1ba30e647f7d0a9

./V5.21.13/_521AAZF13C0.bin-0.extracted/_736FE2.extracted/0.ext2

md5sum a45fa04c8060521fbc4a4ee9af4a7828

A Python script was created to recursively compare the two firmware’s contents via their md5 hashes, starting with the cpio-root:

$ ln -s _521AAZF13C0.bin-0.extracted/_68DB.extracted/cpio-root V5.21.13/cpio-root

$ ln -s _521AAZF14C0.bin-0.extracted/_68DB.extracted/cpio-root V5.21.14/cpio-root

$ python diff.py V5.21.13/cpio-root V5.21.14/cpio-root

Found 451 in V5.21.13/cpio-root

Found 451 in V5.21.14/cpio-root

Files in V5.21.13/cpio-root but not in V5.21.14/cpio-root:

Files in V5.21.14/cpio-root but not in V5.21.13/cpio-root:

File Name : Hash 1 Hash 2

./firmware/sbin/mmiotool: 1a9436e0b08d1d53e1c3bd852ef13171 986228e4a7e4d23f4037ff238eef560a

./sbin/bin2ram : 0354a5530878f88318490a792c40e57d 08dfefbf89b4f6280068d088528bc185

./sbin/rtcAccess : c1db31c0c372ce3dcaf473a6a734f41a 0e47083e0b41b18bc1cb1d8e99b5ba3c

./sbin/ram2bin : 82d136c6003a30a05679bc87a53b9fbc 8b809f270f5f292de3e4202b4aa3c664

./bin/busybox : cee2559337528516f836e4986cca770a ec9ec8e17969f654a213616f7188a297 5 files with different hashes

446 files with identical hashes took 0.04s

The 5 different binaries in the cpio archive are probably not where the vendor fixed a command injection bug in an HTTP handler. On to the ext-2 filesystems.

First, they were mounted as loopback mounts:

$ mkdir V5.21.14/mnt V5.21.13/mnt

$ sudo mount -o loop,ro V5.21.13/_521AAZF13C0.bin-0.extracted/_736FE2.extracted/0.ext2 V5.21.13/mnt

$ sudo mount -o loop,ro V5.21.14/_521AAZF14C0.bin-0.extracted/_736FDA.extracted/0.ext2 V5.21.14/mnt

and then the Python script was run on them:

$ python diff.py V5.21.13/mnt V5.21.14/mnt

Found 6435 in V5.21.13/mnt

Found 6435 in V5.21.14/mnt

Files in V5.21.13/mnt but not in V5.21.14/mnt:

Files in V5.21.14/mnt but not in V5.21.13/mnt:

File Name : Hash 1 Hash 2

./usr/local/apache/web_framework/portal/Portal_PKG.pyc : 81b0490e0aebbd584ddeff291fa70388 470a3f8c0a3d74be79c265b5f8472113

./usr/local/apache/web_framework/controllers/iscsi_main.pyc : 0df1abf57768c332f58aea747e237bd9 c170c1c012ca0bb29d16040f2a4a7505

./usr/lib/python2.7/site-packages/netifaces.pyc : a59ceaf8622bc5b78efc52add794e66d 36807142d22221ee163c598181059c0e

[…]

./usr/local/apache/web_framework/controllers/photo_main.pyc : b9170eb9e6853076748c6fcc61a67a02 1f20dacbb2355b88c4e84bdd7dcad492

./usr/local/apache/web_framework/portal/sys_info.pyc : 4cdeab4c4b2ebae1f85b470a98db41db 599bb0071fe9f1e96263efa0f00cc19b

./usr/lib/python2.7/site-packages/rtslib/target.pyc : 023a924279198cd80985b107542124e0 2ec744438bc0b65c62c9e6d9ff8a6e6a

./usr/local/apache/web_framework/models/afp_main_model.pyc : 22fc9c37fd61820b9b8be7967b2e343f f0ec7c2dc97da8d80e07d7bb8a278502 367 files with different hashes

6068 files with identical hashes took 0.76s

This returned a lot of modified Python code. As it is all compiled in Python 2.7, it was easily decompiled using “uncompyle6”.

$ file V5.21.13/mnt/usr/local/apache/web_framework/controllers/fileBrowser_main.pyc

V5.21.13/mnt/usr/local/apache/web_framework/controllers/fileBrowser_main.pyc: python 2.7 byte-compiled

The following are the differences for the 1st .pyc file mentioned above:

$ uncompyle6 V5.21.13/mnt/usr/local/apache/web_framework/portal/Portal_PKG.pyc > portal_pkg_13.py

$ uncompyle6 V5.21.14/mnt/usr/local/apache/web_framework/portal/Portal_PKG.pyc > portal_pkg_14.py

$ diff portal_pkg_13.py portal_pkg_14.py

5,6c5,6

< # Embedded file name: /home/release-build/NAS326/521AAZF13B1/sysapps/web_framework/build/portal/Portal_PKG.py.pre

< # Compiled at: 2023-05-01 20:13:10

—

> # Embedded file name: /home/release-build/NAS326/521AAZF14B2/sysapps/web_framework/build/portal/Portal_PKG.py.pre

> # Compiled at: 2023-05-25 20:06:07

129c129

< # okay decompiling V5.21.13/mnt/usr/local/apache/web_framework/portal/Portal_PKG.pyc

—

> # okay decompiling V5.21.14/mnt/usr/local/apache/web_framework/portal/Portal_PKG.pyc

The results indicated the differences are present only in meta-data about the file.

$ python diff.py V5.21.13/mnt V5.21.14/mnt

Found 6435 in V5.21.13/mnt

Found 6435 in V5.21.14/mnt

Files in V5.21.13/mnt but not in V5.21.14/mnt:

Files in V5.21.14/mnt but not in V5.21.13/mnt:

File Name : Hash 1 Hash 2

./usr/bin/zydar : e5c3eb5304f6560fbfe728ce063fa20b 1b36bbf025d4db021ab576d01e4e1681

./usr/lib/libpam_misc.so.0.82.0 : 82833ded8b3b0c155595385ae8c814d8 84d807b2f511c767586470428986a9a7

./tmp.tar.gz : b4a411a7e6b6eade8fc14ec7f609cfa2 c4e980123fffd278c5f0bd3bc9bccaad

./usr/bin/zysync : cf6a08f7ed45ff8af18c3f603bd15254 477bb2134c635da6a05ce710d6a6f2ae

./lib/security/pam_nologin.so : 39663a137a7f97ee389430a927746deb 11660a733fe4a6b340e1f3c0ade79e0f

./usr/bin/stunnel : 2a96d39c46ea4c003ba637bb498f8a84 e4fd95e150d16d15241b8bd594dbb390

./lib/security/pam_auth_admin.so : 534af6726535cb9d7d2d7dd1cb4d7d3f 51021522504a5469025b5fe77b51d1f2

./usr/sbin/sqlite3 : 55231147879c092a1607d77610ead8f9 3a85198545eb1acd20e3f84346244a05

./usr/sbin/ntpdate : 3ba378abb0cacfe3e7b48099f0813016 c1e2f8ee13b88adde28a96fd3a894349

./usr/lib/libpam.so.0.83.1 : 8e031c33e14af77d1b8168f6bba29e42 f8ba7c475fa43d788070f9a7eb406331

./lib/security/pam_cloud_step2.so : f3f9952707dcb86f25360a23dc4581a4 f18d62c87198d170009505f7dfdc9138

./usr/local/bin/zysync : f4e77739154bbf1e56477667cd9e2452 f8d447a3b2029aaab23ce4cd5cd30462

./usr/bin/re_startime : de27606d02133e47ae05c93811a1066f 9ce7a64d8d8a15cd25b6e2830df94248

./usr/lib/libpam_misc.so.0.82.0T : 1fe6fead1575e564cb195555c78e2b28 1b6788e4020ea2f793033e46ff26b2e9

./usr/bin/schedule_controller : fc3f3b35f67723d306029f61cdd15709 9bf379ab050cc21a108ab6460c7b50e3

./lib/security/pam_cloud_step1.so : e5a1b471f5ca1ac6591ea5c14f9c00e7 4de44e848628ca0b3996c9145bfa757d 16 files with different hashes

6068 files with identical hashes

351 pyc files Decompiling and comparing 351 pyc files 8 threads 332/351

./usr/local/apache/web_framework/main_wsgi.pyc : 51b4a25e948d248237e22aee31faccd8 36a317f390ce61044f129995afda6005

Saving _usr_local_apache_web_framework_main_wsgi.pyc to top level dir

350/351

took 43.81s

The results showed a single file, main_wsgi.pyc, that was changed in the firmware. Comparing the actual changes in the decompiled Python code yielded:

$ diff -U3 V5.21.13_mnt_usr_local_apache_web_framework_main_wsgi.py V5.21.14_mnt_usr_local_apache_web_framework_main_wsgi.py

— V5.21.13_mnt_usr_local_apache_web_framework_main_wsgi.py 2023-09-07 11:33:00.773770420 -0600

+++ V5.21.14_mnt_usr_local_apache_web_framework_main_wsgi.py 2023-09-07 11:33:00.773770420 -0600

@@ -11,10 +11,54 @@

sys.path.append(‘%s/lib’ % directory_path)

import cherrypy, tools_cherrypy

from cherrypy.process.plugins import Daemonizer, PIDFile

+import re

cherrypy.tools.jsonify = cherrypy.Tool(‘before_finalize’, tools_cherrypy.jsonify_tool_callback, priority=30)

cherrypy.tools.uam = cherrypy.Tool(‘on_start_resource’, tools_cherrypy.uam_update_callback, priority=50)

cherrypy.tools.requestLog = cherrypy.Tool(‘before_handler’, tools_cherrypy.request_log_callback, priority=70) +def check_url_str(get_str):

+ pattern_str = re.compile(‘^[0-9a-zA-Z_]+$’)

+ if pattern_str.match(get_str):

+ return True

+ else:

+ return False

+

+

+def check_request_str(get_str):

+ if get_str.find(‘`’) == -1:

+ return True

+ else:

+ return False

+

+

+def check_str_format(get_str, item_type):

+ retvalue = ”

+ if type(get_str) == list:

+ for input_str in get_str:

+ if item_type == ‘url’:

+ retvalue = check_url_str(input_str)

+ elif item_type == ‘request’:

+ retvalue = check_request_str(input_str)

+ else:

+ return False

+ if retvalue == True:

+ continue

+ else:

+ return False

+

+ else:

+ if item_type == ‘url’:

+ retvalue = check_url_str(get_str)

+ else:

+ if item_type == ‘request’:

+ retvalue = check_request_str(get_str)

+ else:

+ return False

+ if not retvalue == True:

+ return False

+ return True

+

+

class mainApplication(object): def index(self):

@@ -70,29 +114,53 @@

tjp6jp6y4_to_wsgi_server._cp_config = {‘tools.jsonify.on’: False} def ck6fup6(self, *url_args, **request_args):

– url = tools_cherrypy.SOCKET_URL_PREFIX + ‘/ck6fup6_to_wsgi_server/%s/%s’ % (url_args[0], url_args[1])

– response = tools_cherrypy.socket_request(url, data=request_args, cookies=self.set_cookies())

– if response == tools_cherrypy.INT_SERV_ERROR:

– return tools_cherrypy.gui_errmsg(response)

+ if not check_str_format(url_args[0], ‘url’):

+ return

else:

– return response.json()

+ if not check_str_format(url_args[1], ‘url’):

+ return

+ else:

+ for key, value in request_args.items():

+ if not check_str_format(key, ‘request’):

+ return

+ if not check_str_format(value, ‘request’):

+ return

+

+ url = tools_cherrypy.SOCKET_URL_PREFIX + ‘/ck6fup6_to_wsgi_server/%s/%s’ % (url_args[0], url_args[1])

+ response = tools_cherrypy.socket_request(url, data=request_args, cookies=self.set_cookies())

+ if response == tools_cherrypy.INT_SERV_ERROR:

+ return tools_cherrypy.gui_errmsg(response)

+ return response.json()

+

+ return ck6fup6.exposed = True def tjp6jp6y4(self, *url_args, **request_args):

– if url_args[0] == ‘register_main’ and url_args[1] == ‘setCookie’:

– if not request_args.has_key(‘location’) or not request_args.has_key(‘cookie’):

– return

– cherrypy.response.status = 302

– cherrypy.response.headers[‘location’] = request_args[‘location’]

– cherrypy.response.headers[‘Set-Cookie’] = request_args[‘cookie’]

+ if not check_str_format(url_args[0], ‘url’):

+ return

else:

– url = tools_cherrypy.SOCKET_URL_PREFIX + ‘/tjp6jp6y4_to_wsgi_server/%s/%s’ % (url_args[0], url_args[1])

– response = tools_cherrypy.socket_request(url, data=request_args, cookies=self.set_cookies())

– if response == tools_cherrypy.INT_SERV_ERROR:

– return response

– return response.content

– return

+ if not check_str_format(url_args[1], ‘url’):

+ return

+ for key, value in request_args.items():

+ if not check_str_format(key, ‘request’):

+ return

+ if not check_str_format(value, ‘request’):

+ return

+

+ if url_args[0] == ‘register_main’ and url_args[1] == ‘setCookie’:

+ if not request_args.has_key(‘location’) or not request_args.has_key(‘cookie’):

+ return

+ cherrypy.response.status = 302

+ cherrypy.response.headers[‘location’] = request_args[‘location’]

+ cherrypy.response.headers[‘Set-Cookie’] = request_args[‘cookie’]

+ else:

+ url = tools_cherrypy.SOCKET_URL_PREFIX + ‘/tjp6jp6y4_to_wsgi_server/%s/%s’ % (url_args[0], url_args[1])

+ response = tools_cherrypy.socket_request(url, data=request_args, cookies=self.set_cookies())

+ if response == tools_cherrypy.INT_SERV_ERROR:

+ return response

+ return response.content

+ return tjp6jp6y4.exposed = True

tjp6jp6y4._cp_config = {‘tools.jsonify.on’: False}

It appears the patch sanitizes inputs for these two functions:

tjp6jp6y4()

ck6fup6()

where parts of the incoming URL are checked for non-alphanumeric characters, and both the keys and values of the “request” parameters are checked for backticks.

The sanitization of backticks implies command injection via a shell interpolation.