Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
***********************************
* CVE-2020-10973 *
***********************************
SUMMARY: https://james-clee.com/2020/04/23/more-information-disclosure-in-wavlink-devices/
[Suggested description]
An issue was discovered on Wavlink WL-WN530HG4 M30HG4.V5030.191116
devices, affecting /cgi-bin/ExportALLSettings.sh. A crafted POST
request returns the current configuration of the device encrypted
with OpenSSL aes-256-cbc without requiring any sort of authentication. However, the password to encrypt/decrypt
the file is hardcoded. Once the file is decrypted with the hardcoded
key, it contains the administrator username and password.
------------------------------------------
[Additional Information]
This can be used in conjunction with CVE-2020-10973 to achieve full
remote code execution, since you can use the administrator password
found here to create your own session instead of relying on the end user.
------------------------------------------
[Vulnerability Type]
Insecure Permissions
------------------------------------------
[Vendor of Product]
Wavlink
------------------------------------------
[Affected Product Code Base]
WL-WN530HG4 - M30HG4.V5030.191116
------------------------------------------
[Affected Component]
WL-WN530HG4 - /cgi-bin/ExportALLSettings.sh
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Information Disclosure]
true
------------------------------------------
[Attack Vectors]
A basic post request to ExportALLSettings.sh will run the script and automatically download the
configuration file which can be easily decrypted
------------------------------------------
[Reference]
https://www.wavlink.com