-
Notifications
You must be signed in to change notification settings - Fork 1
/
CVE-2020-10973
62 lines (41 loc) · 1.72 KB
/
CVE-2020-10973
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
***********************************
* CVE-2020-10973 *
***********************************
SUMMARY: https://james-clee.com/2020/04/23/more-information-disclosure-in-wavlink-devices/
[Suggested description]
An issue was discovered on Wavlink WL-WN530HG4 M30HG4.V5030.191116
devices, affecting /cgi-bin/ExportALLSettings.sh. A crafted POST
request returns the current configuration of the device encrypted
with OpenSSL aes-256-cbc without requiring any sort of authentication. However, the password to encrypt/decrypt
the file is hardcoded. Once the file is decrypted with the hardcoded
key, it contains the administrator username and password.
------------------------------------------
[Additional Information]
This can be used in conjunction with CVE-2020-10973 to achieve full
remote code execution, since you can use the administrator password
found here to create your own session instead of relying on the end user.
------------------------------------------
[Vulnerability Type]
Insecure Permissions
------------------------------------------
[Vendor of Product]
Wavlink
------------------------------------------
[Affected Product Code Base]
WL-WN530HG4 - M30HG4.V5030.191116
------------------------------------------
[Affected Component]
WL-WN530HG4 - /cgi-bin/ExportALLSettings.sh
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Information Disclosure]
true
------------------------------------------
[Attack Vectors]
A basic post request to ExportALLSettings.sh will run the script and automatically download the
configuration file which can be easily decrypted
------------------------------------------
[Reference]
https://www.wavlink.com