The DrayTek Gateway gadgets, extra particularly the Vigor2960 and Vigor300B fashions, are inclined to a vital command injection vulnerability.
Exploitable through the /cgi-bin/mainfunction.cgi/apmcfgupload endpoint, attackers can inject arbitrary instructions into the system by manipulating the session parameter inside a crafted HTTP request.
The vulnerability impacts over 66,000 internet-connected gadgets, probably permitting attackers to achieve distant code execution, compromise the gadget, and probably entry delicate community information.
DrayTek Vigor2960 and Vigor300B gadgets working software program model 1.5.1.4 are susceptible to a command injection vulnerability, which resides inside the Net Administration Interface, particularly within the /cgi-bin/mainfunction.cgi/apmcfgupload endpoint.
An attacker can exploit this flaw by injecting malicious instructions into the HTTP request, which the gadget then executes with elevated privileges.
Profitable exploitation might enable an attacker to achieve unauthorized entry to the gadget, execute arbitrary code, and probably compromise your entire community.
The apmcfgupload endpoint suffers from a command injection vulnerability, which arises from inadequate enter validation of the session parameter.
The Python script exploits a possible vulnerability by crafting a malformed HTTP request, which leverages a uncooked socket connection to bypass typical HTTP processing and instantly transmit the request to the goal gadget.
Throughout the `apmcfgupload` path, the request accommodates a command injection consisting of a hexadecimal encoded command often known as `pwd`.
It then makes an attempt to determine a connection, ship the crafted request, and obtain the server’s response. The script goals to execute the injected command on the goal system by manipulating the HTTP request construction.
An attacker can exploit command injection vulnerabilities in purposes to execute arbitrary instructions on the underlying working system, which is achieved by injecting malicious code into consumer inputs which might be processed by the appliance.
Within the first instance, an easy injection of the `pwd` command is demonstrated, which reveals the listing that’s at the moment getting used for working.
The second instance is extra refined, utilizing `${IFS}` (Enter Discipline Separator) to bypass potential filters and execute the `cat /and so forth/persistence/config/device_in*` command, which might expose delicate system configuration recordsdata.
To reinforce safety, NetSecFish recommends implementing strict enter validation and sanitization for all CGI script parameters, which can stop malicious inputs from exploiting vulnerabilities within the scripts.
Limiting entry to the net administration interface to trusted IP addresses will considerably cut back the assault floor by stopping unauthorized entry makes an attempt from untrusted sources.