Post-authentication command injection in ZI 620 V400 VPN Router.
This time I'm introducing an easy RCE in a SOHO Router vastly deployed by ISPs in India. At the beggining of the investigation we could find aproximately 2000 devices in Shodan publicly available.
The default username and password of this router model was root:root (surprise!). After login into the administrator page we found a set of utilities to perform network analysis; ping, traceroute, no news for us. Commonly we can find out command injections vulnerabilities in those web applications, but in this ocassion the input was sanitized.
We can enable telnet and ssh login in this devices in "settings", but when you login to the router, via ssh in this ocassion, the terminal show you a restricted environment with the same options that we found in the web application.
This time, logged into the ssh restricted application, the command injection works appending ";" to the option selected. That was so easy.
After that we uploaded a "powerpc" socks4a server coded by @_dreadlocked to the router to pivot into the organization. Thanks @_dreadlocked for your work!
And that's all, thanks for reading.
Affected version (others may be affected):
Disclosure timeline:
- 10/12/2019 Vendor notified. No response.
- 07/01/2020 Vendor notified. No response.
- 09/01/2020 CVE-2020-6760 asigned.
- 06/02/2020 Blog post.



