Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
CVE/CVE-2020-10973
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
62 lines (41 sloc)
1.72 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| *********************************** | |
| * CVE-2020-10973 * | |
| *********************************** | |
| SUMMARY: https://james-clee.com/2020/04/23/more-information-disclosure-in-wavlink-devices/ | |
| [Suggested description] | |
| An issue was discovered on Wavlink WL-WN530HG4 M30HG4.V5030.191116 | |
| devices, affecting /cgi-bin/ExportALLSettings.sh. A crafted POST | |
| request returns the current configuration of the device encrypted | |
| with OpenSSL aes-256-cbc without requiring any sort of authentication. However, the password to encrypt/decrypt | |
| the file is hardcoded. Once the file is decrypted with the hardcoded | |
| key, it contains the administrator username and password. | |
| ------------------------------------------ | |
| [Additional Information] | |
| This can be used in conjunction with CVE-2020-10973 to achieve full | |
| remote code execution, since you can use the administrator password | |
| found here to create your own session instead of relying on the end user. | |
| ------------------------------------------ | |
| [Vulnerability Type] | |
| Insecure Permissions | |
| ------------------------------------------ | |
| [Vendor of Product] | |
| Wavlink | |
| ------------------------------------------ | |
| [Affected Product Code Base] | |
| WL-WN530HG4 - M30HG4.V5030.191116 | |
| ------------------------------------------ | |
| [Affected Component] | |
| WL-WN530HG4 - /cgi-bin/ExportALLSettings.sh | |
| ------------------------------------------ | |
| [Attack Type] | |
| Remote | |
| ------------------------------------------ | |
| [Impact Information Disclosure] | |
| true | |
| ------------------------------------------ | |
| [Attack Vectors] | |
| A basic post request to ExportALLSettings.sh will run the script and automatically download the | |
| configuration file which can be easily decrypted | |
| ------------------------------------------ | |
| [Reference] | |
| https://www.wavlink.com |