id: comtrend-passsword-exposure

info:
  name: COMTREND ADSL Router CT-5367 C01_R12 - Remote Code Execution
  author: geeknik
  severity: high
  description: A vulnerability in COMTREND ADSL Router allows remote authenticated users to execute arbitrary commands via the telnet interface, the password for this interface is leaked to unauthenticated users via the 'password.cgi' endpoint.
  reference:
    - https://www.exploit-db.com/exploits/16275
  tags: router,exposure,iot,rce

requests:
  - method: GET
    path:
      - "{{BaseURL}}/password.cgi"

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: word
        words:
          - "pwdAdmin ="
          - "pwdSupport ="
          - "pwdUser ="
        condition: and