Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Post-authentication command injection in ZI 620 V400 VPN Router.

This time I'm introducing an easy RCE in a SOHO Router vastly deployed by ISPs in India. At the beggining of the investigation we could find aproximately 2000 devices in Shodan publicly available.

Shodan

The default username and password of this router model was root:root (surprise!). After login into the administrator page we found a set of utilities to perform network analysis; ping, traceroute, no news for us. Commonly we can find out command injections vulnerabilities in those web applications, but in this ocassion the input was sanitized.

We can enable telnet and ssh login in this devices in "settings", but when you login to the router, via ssh in this ocassion, the terminal show you a restricted environment with the same options that we found in the web application.

Menu

This time, logged into the ssh restricted application, the command injection works appending ";" to the option selected. That was so easy.

Shell

After that we uploaded a "powerpc" socks4a server coded by @_dreadlocked to the router to pivot into the organization. Thanks @_dreadlocked for your work!

And that's all, thanks for reading.

Affected version (others may be affected):

Affected version


Disclosure timeline:

  • 10/12/2019 Vendor notified. No response.
  • 07/01/2020 Vendor notified. No response.
  • 09/01/2020 CVE-2020-6760 asigned.
  • 06/02/2020 Blog post.