Sunday, January 26, 2020

[DrayTek] - Unauthenticated RCE in Draytek Vigor 2960, 3900 and 300B (CVE-2020-8515)


DrayTek is a manufacturer of Firewalls, VPN Devices , Routers, WLAN devices, etc, based in China.Investigating on different network devices I found that there's a device model named Vigor 2960 (no, it's not a switch as the Cisco one). The Draytek Vigor 2960 is a High-Performance Dual-Wan Load Balancing Router & VPN Gateway.



When you try to authenticate, this device sends a POST request to mainfunction.cgi with different parameters.


 
Now, what if we try adding in every parameter any escape character?, after a few tries , trying to execute the pwd command, it was possible. 




After executing the command, I was thinking on how to escalate privileges, but this was a surprise. After running the command id, i though that the answer was going to be "www-data" or something related, but it was root!.


Here are more example of differents commands executed.
ups! /etc/passwd ;) 



Right now Im working on the reverse shell thing, because the commands executed are being parsed by the mainfunction.cgi. Is a little bit tricky to get a reverse shell with a command without spaces. Sed is replacing the spaces with "+".


But I'm concern of something more important than that. If you go to shodan.io right now, and search for "Draytek" only, you'll find 710,029 hosts!.




If you search for the Vigor 2960 model, you'll have 15,429 host.



All of this host are vulnerable?. Let's find out.

After a few hours I created a python script to check if a list of IPs is vulnerable to this RCE. So, after exporting all the results for Vigor 2960, and a few hours later, all the hosts were tested.


 

3593 are vulnerable!, and I'm 100% sure that the vulnerable hosts are more, because of the timeout parameter configured in the requests.
And that's not all! 

This vulnerability is fully compatible also for the DrayTek Vigor 3900 and 300B!.


Draytek Vigor 3900




Draytek 300B

This device is not a VPN device as the others, this is a Loadbalancer.



Until now, what version/firmware was detected as vulnerable?

  •  Vigor2960
    • 1.3.1_Beta
  • Vigor3900
    • 1.4.4_Beta
  • Vigor300B
  • 1.4.2.1_Beta
  • 1.4.4_Beta
  • 1.3.3_Beta
CVE: CVE-2020-8515
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8515

By @mpx0

mpx

Autor

3 comentarios:

  1. Hi!
    Did you request CVE self or through DrayTek?

    ReplyDelete
  2. hello can you send me script of exploit

    ReplyDelete
  3. whats the payload of exploit can send to me at pone2018@gmail.com

    ReplyDelete

 
biz.