Vulnerable releases for CVE-2019-12272

Hello,

I am currently wanting to reproduce the command injection bug reported in CVE-2019-12272. Though my efforts have been unsuccessful so far.

I am a bit confused by description of the vulnerability:

Does that mean that LuCI versions <= 0.10 are vulnerable? In that case, the newest release of OpenWrt I could find that fits this requirement is v10.03 (LuCI 0.9-0-1), but that release has no real-time monitoring endpoints?

In addition to this, the commit that fixed this issue was made in mid 2018.

I have tested all major versions of OpenWrt (10, 12, 14, 15, 17 and 18)

Could someone please point me to a release that is vulnerable to this exploit?

@sammoore, welcome to the community!

Did you look at the reference section on the CVE page you posted?

The second link would take you here:

Screenshot from 2019-06-10 10-02-28.png993×214 24.8 KB

As you see, the commit is dated April 4, 2018. You would therefore need to find or compile an OpenWrt prior to that commit.

Also, per the Community Guidelines, please refrain from signing your posts.

@lleachii, thank you for the reply. As far as I know there are multiple versions that I have tried that were released before that commit was made (versions < 15?).

I have attempted to reproduce the bug on all of those versions unsuccessfully, is it possible that it has been fixed in those versions as well?

Unlikely, as most were EOLed before that date.

• If you're certain you've actually attempted the exploit properly, then it's more likely the previous versions didn't experience the bug.
• Also, note that the fix refers to a "possible shell injection."
• Lastly, the commit was issued and signed off by @jow, you may wish to ask him.

I have created a exploit for this CVE: https://github.com/oreosES/exploits/tree/master/CVE-2019-12272

Thank you very much for this! Have you managed to test it successfully against a specific OpenWrt version?