Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

0x01 Vulnerability description

An issue was discovered in Wavlink WN579X3,Firmware package version M79X3.V5030.180719,affecting /cgi-bin/ExportAllSettings.sh where a crafted POST request returns the current configuration of the device, including the administrator password. No authentication is required. The attacker must perform a decryption step, but all decryption information is readily available.

0x02 Affected version

WAVLINK WN579 X3

0x03 Vulnerability

When viewing the /cgi-bin/ExportAllSettings.sh file, it was not properly authorized by the system.

image-20220525112819333

0x04 PoC verification

Directly construct the url link as:

http://xxx.xxx.xxx.xxx/cgi-bin/ExportAllSettings.sh

You can download the configuration file, the configuration file contains the account password

image-20220525113706509

image-20220525113735199

0x05 Acknowledgement

Penwei.Huang