CVE-2024-32937
An os command injection vulnerability exists in the CWMP SelfDefinedTimeZone functionality of Grandstream GXP2135 1.0.9.129, 1.0.11.74 and 1.0.11.79. A specially crafted network packet can lead to arbitrary command execution. An attacker can send a sequence of malicious packets to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Grandstream GXP2135 1.0.11.74
Grandstream GXP2135 1.0.11.79
Grandstream GXP2135 1.0.9.129
8.1 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
The GXP2135 is one of the high-end VoIP phones offered by Grandstream Networks, Inc., and is commonly found in the offices of businesses These phones support CWMP. CPE WAN Management Protocol (CWMP) is a remote management protocol for managing customer-premise equipment (CPE) and is defined by the Broadband Forum (TR-069 report). All models in Grandstreams’ GRP, GXP, and GHP series of VoIP phones are listed as supporting the CWMP (TR-069) standard.
The binary /app/bin/gs_cpe is responsible for handling the CWMP protocol and a vulnerability exists in the function responsible for handling the Device.Time.X_GRANDSTREAM_SelfDefinedTimeZone parameter. The set parameter requests for changing the timezone on the GXP2135 device get handled by the function set_selfdefinedtimezone_value. This parameter data is not filtered in any way and is used to construct a call to system. Due to the lack of filtering, this is vulnerable to an OS command injection. An annotated decompilation of this function is included here for reference.
int set_selfdefinedtimezone_value(uint param_1,uint param_2,uint param_3,char *setData)
{
// [1] Data from timezone set requests comes in as 4th parameter `setData`
...
if (uVar1 != 0) {
uVar1 = param_2 - 1 & 0xffff;
iVar2 = *(int *)(uVar1 * 0x30 + *pattern + 0x24);
if (iVar2 != 0) {
if (setData == (char *)0x0) {
return -1;
}
memory_set_data(iVar2,setData);
// [2] Buffer for saving command is zeroed
memset(cmd,0,0x100);
// [3] Constructs command string for echoing timzone parameter to the `/etc/TZ` file using attacker-controlled `setData` parameter
snprintf(cmd,0x100,"echo \"%s\">%s",setData,"/etc/TZ");
// [4] Execute the constructed command with root privileges
system(cmd);
cpe_check_parameter_need_reboot(uVar1);
return 0;
}
}
cwmp_send_fault(param_1,0x2329,"Request denied.");
return -1;
}
At [1] the set timezone parameter is passed to this function as the 4th parameter setData. A buffer of 256 bytes for holding the command string is zeroed (at [2]). At [3] call to snprintf is used to construct a string that is used to set the /etc/TZ file with the attacker-controlled setData parameter. At [4] the constructed string is passed to system and gets executed with root privileges. Due to the lack of verification of a valid timezone string, it is possible for the value in setData to escape from the expected command and execute arbitrary OS commands with root privileges.
The configuration required to expose this vulnerability is control over the Auto Configuration Server for CWMP. This configuration can be controlled by an attacker authenticating to the web server and configuring it, or an attacker leveraging various man-in-the-middle methods to configure the ACS of the device. The ACS can be manipulated via DNS poisoning, or configured via DHCP.
2024-04-24 - Initial Vendor Contact
2024-04-25 - Vendor Disclosure
2024-06-08 - Vendor Patch Release
2024-07-03 - Public Release
Discovered by Matthew Bernath of Cisco Talos.