Merge pull request #6676 from galoget/main

Added template for Ruijie Password Hashes Leakage

vulnerabilities/ruijie/ruijie-password-leak.yaml

@@ -1,13 +1,17 @@
 id: ruijie-password-leak
 
 info:
-  name: RG-UAC Ruijie Password Leak
-  author: ritikchaddha
+  name: RG-UAC Ruijie - Password Hashes Leak
+  author: ritikchaddha,galoget
   severity: high
-  description: Security Notice of Information Disclosure Vulnerability in Multiple Firewall Devices
+  description: |
+    Multiple Firewall Devices from vendor Ruijie Networks are affected by an information leakage vulnerability where credentials are included in the source code of the web admin login interface (usernames, roles, MD5 hashes and additional details of each user). Attackers can use this information to illegally access into the vulnerable devices, obtain sensitive device information and change configurations. The vulnerability is identified by CNVD-2021-14536.
   reference:
     - https://forum.butian.net/share/177
+    - https://www.ruijie.com.cn/gy/xw-aqtg-zw/86924/
+    - https://www.cnvd.org.cn/flaw/show/CNVD-2021-14536
   metadata:
+    verified: true
     shodan-query: http.html:"Get_Verify_Info"
   tags: password,leak,ruijie,exposure,firewall,router
 
@@ -18,9 +22,12 @@ requests:
 
     matchers-condition: and
     matchers:
-      - type: regex
-        regex:
-          - 'user_passwd\/\*"([a-z0-9]+)"\*\/\);'
+      - type: dsl
+        dsl:
+          - 'contains(tolower(body), ''\"role\":\"super_admin\"'')'
+          - 'contains(tolower(body), ''\"role\":\"guest_admin\"'')'
+          - 'contains(tolower(body), ''\"role\":\"reporter_admin\"'')'
+        condition: or
 
       - type: status
         status:
@@ -29,6 +36,5 @@ requests:
     extractors:
       - type: regex
         part: body
-        group: 1
         regex:
-          - 'user_passwd\/\*"([a-z0-9]+)"\*\/\);'
+          - '"password":"[a-f0-9]{32}'