Vulnerability CVE-2017-17411
Published: 2017-12-21

Description:
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Linksys WVBR0. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web management portal. The issue lies in the lack of proper validation of user data before executing a system call. An attacker could leverage this vulnerability to execute code with root privileges. Was ZDI-CAN-4892.

See advisories in our WLB2 database:
Topic
Author
Date
High
Linksys WVBR0-25 User-Agent Command Execution
HeadlessZeke
04.01.2018

Type:

CWE-78

 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') )

CVSS2 => (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
10/10
10/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete

 References:
http://www.securityfocus.com/bid/102212
https://github.com/rapid7/metasploit-framework/pull/9336
https://www.exploit-db.com/exploits/43363/
https://www.exploit-db.com/exploits/43429/
https://zerodayinitiative.com/advisories/ZDI-17-973
Copyright 2024, cxsecurity.com

 

Back to Top