| Title | SECCN SECCN G10 VPN V3.1.0.181203 Unauthorized RCE |
|---|
| Description | Technical Analysis (Vulnerability Logic):
Source of Taint: The variable $in{user} is a controlled input fetched directly from a Web POST request via the ReadParse function.
Insecure Sink: The script utilizes Perl's system qq(...) function to execute backend logic. In Perl, qq acts as a double-quote interpolator, meaning it evaluates and embeds variables into the string before passing it to the system shell.
Exploitation (Command Chaining): Because the $in{user} variable is not sanitized, an attacker can inject a shell command separator (;). For instance, a payload like 13800000000;telnetd -p 9999; transforms the command into a multi-step execution:
Step 1: user_auth.pl ... 13800000000 (Original intended command)
Step 2: telnetd -p 9999 (Injected malicious command)
Step 3: [trailing_random_numbers] (System noise)
Pre-Auth Reachability: The injection point is located within the SMS verification trigger logic. Since this functionality must be accessible before a user is authenticated, it allows for a complete Pre-auth RCE. |
|---|
| Source | ⚠️ https://github.com/cha0yang1/SECCN/blob/main/UnauthorizedRCE.md |
|---|
| User | Ruler-Chovy (UID 95098) |
|---|
| Submission | 02/08/2026 09:19 AM (2 months ago) |
|---|
| Moderation | 02/18/2026 03:13 PM (10 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 346488 [SECCN Dingcheng G10 3.1.0.181203 session_login.cgi qq User os command injection] |
|---|
| Points | 20 |
|---|