### Multiple Authenticated RCE on FX-1010 Fetch URL and Poll Routes CVE-2020-7243 CVE-2020-7244) **[Comtech] Multiple Authenticated RCE on FX-1010 Fetch URL and Poll Routes** The web application used for the management and administration of Compression Bandwidth Optimization Platform has a critical vulnerability that allow to an attacker to do a Remote Code Execution with root access. That is, the application allows to gain full control over the server. ## Comtech FX-1010 [ ](https://images.seebug.org/1583428695251-w331s) Vendor WebSite: <http://www.comtechtel.com/> You can search for vulnerable sites on google with the following dork **" Comtech FX Series"** or maybe in shodan if you want. We need to use the default comtech credentials to access on the administration panel (comtech:comtech) [ ](https://images.seebug.org/1583428699131-w331s) **RCE PoC #1** Go to the Menu and click on...
### Multiple Authenticated RCE on FX-1010 Fetch URL and Poll Routes CVE-2020-7243 CVE-2020-7244) **[Comtech] Multiple Authenticated RCE on FX-1010 Fetch URL and Poll Routes** The web application used for the management and administration of Compression Bandwidth Optimization Platform has a critical vulnerability that allow to an attacker to do a Remote Code Execution with root access. That is, the application allows to gain full control over the server. ## Comtech FX-1010 [ ](https://images.seebug.org/1583428695251-w331s) Vendor WebSite: <http://www.comtechtel.com/> You can search for vulnerable sites on google with the following dork **" Comtech FX Series"** or maybe in shodan if you want. We need to use the default comtech credentials to access on the administration panel (comtech:comtech) [ ](https://images.seebug.org/1583428699131-w331s) **RCE PoC #1** Go to the Menu and click on Operations > Diagnostics > Fetch URL [](https://images.seebug.org/1583428702087-w331s) On URL input we can put a **site name like "www.google.cl"** but we can add other command behind of ";" in this case, we are going to use an "id" command. [](https://images.seebug.org/1583428705399-w331s) When we press OK, the result show us the user and groups. [](https://images.seebug.org/1583428707734-w331s) Now we create a python script to get a reverse shell with full control of the system. [](https://images.seebug.org/1583428709985-w331s) ******RCE PoC #2** Go to the Menu and click on Operations > Diagnostics > Poll Routes [](https://images.seebug.org/1583428715312-w331s) ------ On Router IP Address input we can use an IP but we can add other command behind of ";" in this case, we are going to use an "id" command. [](https://images.seebug.org/1583428718094-w331s) When we press OK, the result show us the user and groups. [](https://www.blogger.com/blogger.g?blogID=3088897312176448925)[](https://www.blogger.com/blogger.g?blogID=3088897312176448925)[](https://www.blogger.com/blogger.g?blogID=3088897312176448925)[](https://www.blogger.com/blogger.g?blogID=3088897312176448925)[](https://www.blogger.com/blogger.g?blogID=3088897312176448925)[](https://images.seebug.org/1583428721981-w331s) Now we create a python script to get a reverse shell with full control of the system. [](https://images.seebug.org/1583428724195-w331s) Happy Hacking [@CesarSilence](https://twitter.com/cesarsilence) ** **
