module
Cisco Small Business RV Series Authentication Bypass and Command Injection
| Disclosed | Created |
|---|---|
| 2021-04-07 | 2022-02-01 |
Disclosed
2021-04-07
Created
2022-02-01
Description
This module exploits an authentication bypass (CVE-2021-1472) and command injection (CVE-2021-1473)
in the Cisco Small Business RV series of VPN/routers. The device does not adequately verify the
credentials in the HTTP Authorization field when requests are made to the /upload endpoint. Then
the upload.cgi binary will use the contents of the HTTP Cookie field as part of a `curl` request
aimed at an internal endpoint. The curl request is executed using `popen` and allows the attacker
to inject commands via the Cookie field.
A remote and unauthenticated attacker using this module is able to achieve code execution as `www-data`.
This module affects the RV340, RV340w, RV345, and RV345P using firmware versions 1.0.03.20 and below.
in the Cisco Small Business RV series of VPN/routers. The device does not adequately verify the
credentials in the HTTP Authorization field when requests are made to the /upload endpoint. Then
the upload.cgi binary will use the contents of the HTTP Cookie field as part of a `curl` request
aimed at an internal endpoint. The curl request is executed using `popen` and allows the attacker
to inject commands via the Cookie field.
A remote and unauthenticated attacker using this module is able to achieve code execution as `www-data`.
This module affects the RV340, RV340w, RV345, and RV345P using firmware versions 1.0.03.20 and below.
Authors
Takeshi Shiomitsu
jbaines-r7
jbaines-r7
Platform
Linux,Unix
Architectures
cmd, armle
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.