|
|
|
|
|
|
by amiga386
571 days ago
|
|
|
Don't shoot the messenger. This is from the people who discovered it: https://netsecfish.notion.site/Command-Injection-Vulnerabili... > The vulnerability is localized to the account_mgr.cgi script, particularly in the handling of the cgi_user_add command. The name parameter in this script does not adequately sanitize input, allowing for command execution. > /cgi-bin/account_mgr.cgi?cmd=cgi_user_add&name=%27;<INJECTED_SHELL_COMMAND>;%27 I know, I know, that would mean the exact command run, based on the reversed code shown on screen at https://youtu.be/-vpGswuYVg8?t=656 would be adduser -u "';<INJECTED_SHELL_COMMAND>;'" -p "" >/dev/null
which would be harmless, so clearly if the PoC says %27 then the real format string must be more like "adduser -u '%s' ...". Maybe the Youtuber reversed the wrong firmware. But nonetheless, the point is gotten across. |
|
|