-
Notifications
You must be signed in to change notification settings - Fork 2
/
PHICOMM
24 lines (16 loc) · 949 Bytes
/
PHICOMM
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
vendor:PHICOMM
product:K2(PSG1218)
version:V22.5.11.5 and earlier
type:Remote Code Execution
author:Ming Yuan
institution:Beihang University
Vulnerability description
-------------------------
PHICOMM is an information communication domain equipment and service providers, products cover more than 70 countries.
We find a RCE vulnerability in one of its router product after connecting to it. Details are as follows:
There is a URL which anyone can access without credentials in an ajax function when you are able to access the router's WiFi.
And then our automated vulnerability detection tool discovered a remote code execution in this url handling function in lighthttpd.
POC:
curl 'http://ip:port/*****.asp?action=set&MAC=1&IP=;&DeviceRename=1&isBind=1&ifType=reboot&BlockUser=-f;&UpMax=0&DownMax=0'
This poc can reboot the router, resulting in a Dos.
p.s.Given the vendor's security, we only provide parts of the URL.