Skip to content

Instantly share code, notes, and snippets.

  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
Disclosure of vulnerabilities in Vigor2960 and Vigor3900


Vigor2960 fw1.5.1.1RC3 (r8167) Vigor3900 fw1.5.1.1beta_r8167

Vulnerability details

There are some command injection vulnerabilities in the mainfunction.cgi file. The details are as follows:

1. in downlaod_ovpn function

The parameters from http_input are written directly to the buf of s without filtering, followed by system, which can causecommand injection

2. in doOpenVpn function

The value of "option" is from "http_input" and later concatenated and used by "system" without any special characters sanitizing, causing command injection

3. int dumpSyslog_func

The value of "option" is from "http_input", and single quote character allowed. So, since it is user-controllable, when user input closes the single quote, a command injection is done.

4. in get_subconfig_func

"rtick" is from "http_input", and further passed to "sub_F2D8". In "sub_F2D8", "rtick" is concatenated to "/tmp/ipv6_neigh_", then passed to "system", causing command injection.

5. in set_ap_map_config_func
The value of "option" is from "http_input",and will be spliced with "/sbin/ipsec_new_cer" , may cause command execution

6. in delete_wlan_profile_func

The value of "profile_number " is from "http_input" and will be spliced with "uci delete apm_wlan_profile.profile", may cause command execution

7. in ruequest_certificate_func

The value of "option" will be spliced with "/sbin/ipsec_new_cer" , may cause command execution

8. in doGRETunnel_func

The table value will be spliced with "/etc/init.d/gretunnel disconnect_from_web '%s' 1>/dev/null 2>&1" , may cause command execution




Thanks for draytek's instant response!


2020.05.29 report these vulnerabilities
2020.06.01 vendor reply
2020.06.04 vendor fix these vulnerabilities
2020.06.17 vendor released new firmware

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment