CVE-2018-17208

Linksys Velop 1.1.2.187020 devices allow unauthenticated command injection, providing an attacker with full root access, via cgi-bin/zbtest.cgi or cgi-bin/zbtest2.cgi (scripts that can be discovered with binwalk on the firmware, but are not visible in the web interface). This occurs because shell metacharacters in the query string are mishandled by ShellExecute, as demonstrated by the zbtest.cgi?cmd=level&level= substring. This can also be exploited via CSRF.
References
Link Resource
https://langkjaer.com/velop.html Exploit Technical Description Third Party Advisory
https://langkjaer.com/velop.html Exploit Technical Description Third Party Advisory
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:linksys:velop_firmware:1.1.2.187020:*:*:*:*:*:*:*
cpe:2.3:h:linksys:velop:-:*:*:*:*:*:*:*

History

21 Nov 2024, 03:54

Type Values Removed Values Added
References () https://langkjaer.com/velop.html - Exploit, Technical Description, Third Party Advisory () https://langkjaer.com/velop.html - Exploit, Technical Description, Third Party Advisory

Information

Published : 2018-09-19 17:29

Updated : 2024-11-21 03:54


NVD link : CVE-2018-17208

Mitre link : CVE-2018-17208

CVE.ORG link : CVE-2018-17208


JSON object : View

Products Affected

linksys

  • velop
  • velop_firmware
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')