An unauthenticated attacker can exploit a race condition to read arbitrary files on the router. By sending a specially crafted packet to a PAPI service an attacker may read sensitive system files.
char * process_msg_ref(void *param_1,size_t param_2,int param_3,int param_4,ushort param_5,
undefined2 param_6)
{
char *__s;
char *__ptr;
char *local_2c4;
size_t msg_ref_len;
char msg_ref_body [256];
char acStack280 [232];
...
...
if (DAT_0001e99c != 0) {
...
...
...
PAPI packet setup
...
...
...
iVar3 = PAPI_Send(DAT_0001e99c,0,iVar2,param_2 + 0x4c);
if (0 < iVar3) {
PAPI_Free(DAT_0001e99c,iVar2);
__s = (char *)(iVar3 + 0x4c);
msg_ref_len = 0;
if (__s != (char *)0x0) {
__s = strdup(__s);
iVar2 = sscanf(__s,"msg_ref %u %s",&msg_ref_len,msg_ref_body);
if ((iVar2 == 2) && (msg_ref_len != 0)) {
local_2c4 = msg_ref_body;
syslog(7,"%s: %d: got msg_ref of len %u and body \'%s\'","process_msg_ref",0x16,msg_ref_len,msg_ref_body);
sVar4 = msg_ref_len - 1;
__ptr = (char *)malloc(msg_ref_len);
if (__ptr != (char *)0x0) {
msg_ref_len = sVar4;
iVar2 = strncmp(msg_ref_body,"http://",7);
if (iVar2 == 0) {
...
...
...
//Handle http case
...
...
...
}
else {
iVar2 = strncmp(msg_ref_body,"/tmp/",5);
if (iVar2 == 0) {
local_2c8 = msg_ref_body;
syslog(7,"%s: %d: opening \'%s\'","process_msg_ref",0x2f,msg_ref_body,local_2c4);
__stream = fopen(msg_ref_body,"r");
if (__stream != (FILE *)0x0) {
syslog(7,"%s: %d: reading large msg","process_msg_ref",0x34,local_2c8);
sVar4 = fread(__ptr,msg_ref_len,1,__stream);
if (sVar4 == 1) {
syslog(7,"%s: %d: read large msg of %u bytes","process_msg_ref",0x37,msg_ref_len);
__ptr[msg_ref_len] = '\0';
free(__s);
__s = __ptr;
}
fclose(__stream);
}
}
}
...
...
...
...
The function “process_msg_ref” is vulnerable to a race condition, this function will send a PAPI message to external service and wait for a response. An attacker can race that response and manipulate the router to return an arbitrary file.