Shell CGI Static Code Analysis - Automatic Discovery of RCEs

We came across shell CGI scripts in embedded firmware again and again and decided to investigate those for common patterns and weaknesses.
‍
Embedded devices—from routers to IoT cameras—often run lightweight web servers with bash CGI scripts to handle HTTP requests. Due to constrained resources and the simplicity required by these systems, sh (be it bash, ksh, busybox, ...) is frequently chosen for CGI scripting. However, this convenience comes with challenges, especially when handling user-controlled data that can lead directly to command injection vulnerabilities.

How Shell CGI Works

In the Common Gateway Interface model, each HTTP request spawns a fresh script process, with request data exposed via environment variables or stdin.

In many embedded systems, the scripts are just bash executables that respond to the request and generate dynamic content. A few key internals include:

• Environment Variables from HTTP Parsing: When an HTTP message arrives, the server parses it and maps various headers and parameters to environment variables before invoking the script. For instance:
  • GET Parameters: The query part of the URL is stored in the environment variable $QUERY_STRING. This variable can then be parsed by the script to obtain user-supplied parameters.
  • POST Parameters: Unlike GET, POST data generally doesn’t appear directly in an environment variable. Instead, depending on the server's implementation, this data is sent in the standard input of the CGI process or temporarily stored for processing. Only in a few cases we saw deviations using a dedicated environment variable.
  • Cookies: HTTP cookies can be passed along in the variable $HTTP_COOKIE allowing the script to access session or preference information.
• Lightweight CGI in Embedded Stacks: Due to the need for minimal resource consumption, these features are often implemented in compact platforms such as BusyBox (which bundles a lightweight HTTP daemon) or the httpd component in other stripped-down web servers. Other minimal HTTP server implementations might also follow similar patterns. Their simplicity, however, makes them more susceptible when improper sanitization of these environment variables occurs.

Our Static Analysis Extension

We spent weeks investigating real world vulnerabilities, prioritizing critical ones and finally implementing static code analysis rules, that are capable of identifying Remote Code Execution vulnerabilities automatically. The idea of all those rules is to follow user data from untrusted origins like $QUERY_STRING to dangerous sinks like eval and others.

In the upcoming days we will share more insights about critical vulnerabilities that we were able to discover in real world embedded applications with this brand new feature in our platform.

Until then, let's walk through a short taxonomy of CGI bugs we've identified illustrated by with real world vulnerabilities that did not warrant a long and complex disclosure process. We did not request CVE identifiers for these specific bugs because either the code base is not largely used, the device has been end-of-life for a while, or the probability of exploitation is extremely low.

When it comes to using user controlled input unsanitized in a CGI shell script, there's a number of different ways to shoot you in the foot:

• Direct Execution of User Data - An HTTP parameter is assigned to a shell variable and invoked directly.
• Command Injection via eval - Attacker controlled input is fed into eval.
• Command Injection via backticks - Attacker controlled input is used within backticks.
• Sed-based Command Injection - Attacker controlled input is used within a sed call. By abusing the execute flag of sed, arbitrary commands can be run.

Sed Injection in Modded IP Cam Firmware

Summary

We identified an arbitrary command injection through sed injection in two mod-firmware projects for Yi IP camera (Yi-Hack-MSTAR and Yi-Hack-AllWinner)

Impact

Authenticated user can execute arbitrary commands with elevated privileges.

Description

Users can send JSON body to the CGI script which will then parse every entry of the JSON dictionary into $KEY and $VALUE variables. At the very end of the script, a call to sed is executed while the $KEY variable can be anything:

‍

If you send a JSON request to set_configs with the following body:

{".*\\)/id>a/e#": 1}

This will end up executing this sed call:

sed -i 's/^\(.*\)/id>a/e#\s*=\s*\).*$/\11/' /tmp/some/conf/file 

Which itself will execute the id>a command.

Timeline

• 26/02/2025 - ONEKEY notifies the maintainer by email
• 26/02/2025 - maintainer commit a patch to fix both issues

Unsafe Eval in Nokia 7705 Service Aggregation Router

Summary

Nokia 7705 Service Aggregation Routers expose a web interface allowing operators to configure the device. Three endpoints
( slidset.cgi, slidcommon.cgi and disablelog.cgi ) of the web interface are vulnerable to arbitrary command injection.

Impact

Authenticated users have the ability to execute arbitrary commands on affected devices with root privileges.

Unauthenticated users could also exploit this vulnerability by getting an operator to open a malicious web page, exploiting the lack of Cross-Site Request Forgery (CSRF) protection.

Description

The web interface operates with CGI scripts written in Bash. These shell scripts are performing insecure calls to eval with user controlled inputs, leading to arbitrary command injections.

The first vulnerability affects slidset.cgi that is used to set a so-called Subscriber Location ID (SLID), also known as the Subscriber Line Identifier. Post data submitted by the user through HTTP is processed by the script:

read QUERY_STRING
eval $(echo "$QUERY_STRING"|awk -F'&' '{for(i=1;i<=NF;i++){print $i}}')

In the context of the cgi scripts the variable QUERY_STRING is an environment variable that is configured in the busybox component to be equal to the post data. The post data is passed and evaluated by eval. This can be exploited by sending a request with the following curl command:

‍

Timeline

• 06/03/2025 - report sent to Nokia PSIRT
• 06/03/2025 - case opened by Nokia PSIRT
• 10/03/2025 - Nokia PSIRT requests more information about the firmware and hardware revisions
• 13/03/2025 - Nokia PSIRT requests more information about the firmware and hardware revisions
• 02/04/2025 - Nokia PSIRT provides a detailed explanation about the vulnerability, concluding that it does not warrant a CVE. ONEKEY agrees.

Full explanation from Nokia: "The issue identified is related to the GPON firmware of the GPON module for the 7705 SAR router running software release 8.0.R10. Before to go further, it may help to clarify that 7705 SAR products are composed of control cards (called CPM) and line cards I/O module for the various physical interfaces that can be switched/routed by the system. One of these modules was the GPON module.

The GPON module support was ended in April 2021 with SAR software release 21.4.R1. This module was only available in the SAR-M product and contains a single GPON physical interface. This hardware module and the associated software feature are therefore no longer supported and configurable since 2021.

Prior to this release, the issue identified by ONEKEY Research Labs would require an attacker with both physical access to the router backplane, and admin user account to reconfigure the GPON service to use the HTTP interface. With those conditions met, the attacker can send HTTP packets via the backplane ethernet interface to the GPON module, this HTTP interface was not intended for customer use. It is also to be noted that the GPON firmware is executed within the GPON module (line card I/O module) and does not give access to the control card, an attacker taking advantage of this interface would only affect the GPON connectivity. An attacker with physical access, or admin user access, can more simply disconnect the GPON interface to render this service inoperable.

Based on our analysis, the combinations of attack vectors for taking advantage of this interface and negligible impact limited to the GPON interface availability do not warrant to raise a CVE for this issue."

‍

Command Injection through Direct Execution in Freecom Dual Drive Network Center

Summary

The Freecom Dual Drive Network Center is a really old NAS solution. Its web interface expose an "installer" script that is always available and vulnerable to arbitrary command injection.

Impact

Remote unauthenticated users can execute arbitrary commands with elevated privileges.

Description

The installer.cgi bash script file vulnerable to command injection.The parameters gathered with the environment variable are executed directly without any sanitization.

The code looks like this:

Value=`echo ${QUERY_STRING}|/bin/cut '-d&' -f2|/bin/sed 's/\%20/\ /g'`
Value=`echo ${Value}|sed 's/\%20/\ /g'|sed 's/\%7B/\{/g'|sed 's/\%7D/\}/g'|sed 's/\%7E/\~/g'|\
sed 's/\%60/\`/g'|sed 's/\%5B/\[/g'|sed 's/\%5D/\]/g'|sed 's/\%25/\%/g'|\
sed 's/\%24/\$/g'|sed 's/\%21/\!/g'|sed 's/\%27/'\''/g'`
$Value

Which means you can exploit it this way:

curl http://ip.of.device/SetExecTable&id

Timeline

• 25/02/2025 - ONEKEY notifies VERBATIM (owner of Freecom) through email
• 26/02/2025 - VERBATIM indicates that the device is EoL. ONEKEY does not file CVE.

Key Takeaways

Upcoming blog posts

We know , we know, RCE in unreachable telecom routers, custom-made firmware or EoL devices does look like junk hacking. But fear not because we have a handful of security advisories stemming from insecure CGI to publish.

The following advisories are planned for publication, get back on those dates or subscribe to our RSS feed to be notified when they're public :)

• 26/05/2025 - Unauthenticated RCE in Smartbedded MeteoBridge
• 27/05/2025 - Unauthenticated RCE in TBD - postponed to June 24th
• 02/06/2025 - Authenticated RCE in Netcomm NTC-6200 and NWL-222
• 03/06/2025 - Authenticated RCE in Diviotec IP Cameras