Monday, February 10, 2020

[Netis] Authenticated RCE on WF2471 wireless router (v1.2.30142) (CVE-2020-8946).

Netis systems is a manufacturer of computer network hardware from Shenzhen, China. Their product range includes numerous devices such as wireless routers, access points, switches, adapters, etc.

Device: WF2471
Firmware version: 1.2.30142

During our research, we found a couple of wireless router models vulnerable to a command injection in one of the parameters used when performing a system log cleanup.


Normally, the request only takes one single parameter: log_name.



However, after careful examination during a static analysis on the affected CGI file, we notice a call to the system() function in which additional content can be injected once adding two extra parameters: type_change_clean and log_3g_type.


Then, the following conditions must be satisfied:
log_name has to be equal to 3g, instead of ALL
type_change_clean must be set to log_type
Finally, log_3g_type is the parameter where the actual injection takes place. OS commands are inserted in between semicolon characters as demonstrated as follows:



fjv

Autor

5 comentarios:

  1. Awesome blog. I enjoyed reading your articles. This is truly a great read for me. I have bookmarked it and I am looking forward to reading new articles. Keep up the good work! long range wifi router

    ReplyDelete
  2. Most good wireless routers are capable of broadcasting your signal to a range of around 150 feet indoors, assuming typical household conditions. long range wireless router

    ReplyDelete
  3. Thanks for a wonderful share. Your article has proved your hard work and experience you have got in this field. Brilliant .i love it reading. drip feed instagram

    ReplyDelete
  4. Router bits can also be classified as edge bits, non-edge bits, or anti-kickback bits. wifi router for multiple devices

    ReplyDelete
  5. So it is interesting and very good written and see what they think about other people. best wireless router for multiple devices

    ReplyDelete

 
biz.