Linksys Velop 1.1.2.187020 devices allow unauthenticated command injection, providing an attacker with full root access, via cgi-bin/zbtest.cgi or cgi-bin/zbtest2.cgi (scripts that can be discovered with binwalk on the firmware, but are not visible in the web interface). This occurs because shell metacharacters in the query string are mishandled by ShellExecute, as demonstrated by the zbtest.cgi?cmd=level&level= substring. This can also be exploited via CSRF.
References
Link | Resource |
---|---|
https://langkjaer.com/velop.html | Exploit Technical Description Third Party Advisory |
https://langkjaer.com/velop.html | Exploit Technical Description Third Party Advisory |
Configurations
Configuration 1 (hide)
AND |
|
History
21 Nov 2024, 03:54
Type | Values Removed | Values Added |
---|---|---|
References | () https://langkjaer.com/velop.html - Exploit, Technical Description, Third Party Advisory |
Information
Published : 2018-09-19 17:29
Updated : 2024-11-21 03:54
NVD link : CVE-2018-17208
Mitre link : CVE-2018-17208
CVE.ORG link : CVE-2018-17208
JSON object : View
Products Affected
linksys
- velop
- velop_firmware
CWE
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')