Monday, February 10, 2020

[GOCLOUD] - RCE in Gocloud Routers (authenticated) - (CVE-2020-8949)







 The following Gould routes are vulnerable to OS command Injection:

Affected Versions:
  • GOCLOUD S2A_WL  -  Firmware Version 4.2.7.16471
  • GOCLOUD S2A  - Firmware Version 4.2.7.17278  
  • GOCLOUD S2A  - Firmware Version 4.3.0.15815 
  • GOCLOUD S2A  - Firmware Version 4.3.0.17193
  • GOCLOUD S3A (K2P MTK Version) - Firmware Version  4.2.7.16528  
  • GOCLOUD S3A  - Firmware Version  4.3.0.16572
  • GOCLOUD ISP3000 Intel(R) Xeon(R) E5-2660 - Firmware Version 4.3.0.17190
























It seems that these routers are widely used in China, and they are also vulnerable to injecting commands in the systemtools diagnostic function

Within the "ping" function in the url, it is possible to inject commands by escaping with ";" at the beginning and end of the injected command

for example:
http://x.x.x.x:8088/cgi-bin/webui/admin/tools/app_ping/diag_ping/;df;/5/56/false.com

This must be executed once the application is authenticated.











I encountered the problem that some characters gave me problems, such as "/", so I used base64 to encode the payload











CVE-2020-8949

By: @Linuxmonr4

Monr4

Autor

2 comentarios:

  1. Great post i must say and thanks for the information. Education is definitely a sticky subject. However, is still among the leading topics of our time. I appreciate your post and look forward to more. best wireless routers

    ReplyDelete
  2. The scope of a remote switch is an estimation of how far (normally in feet) the sign of the switch will travel. This estimation is ordinarily decided in a lab-type setting, so you can normally expect somewhat less range when setting one up in your home or office.arcor

    ReplyDelete

 
biz.