CVE-2020-17456
published 2020-08-20CVE-2020-17456: SEOWON INTECH SLC-130 And SLR-120S devices allow Remote Code Execution via the ipAddr parameter to the system_log.cgi page.
PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
70.91%
99.3th percentile
SEOWON INTECH SLC-130 And SLR-120S devices allow Remote Code Execution via the ipAddr parameter to the system_log.cgi page.
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SEOWON INTECH SLC-130/SLR-120S RCE Inbound M1 (CVE-2020-17456)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/system_log.cgi"; http.request_body; content:"&pingIpAddr="; fast_pattern; content:"%3B%"; within:5; nocase; reference:cve,2020-17456; classtype:attempted-admin; sid:2035950; rev:3; metadata:attack_target Networking_Equipment, created_at 2022_04_14, cve CVE_2020_17456, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_03_08;)
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SEOWON INTECH SLC-130/SLR-120S RCE Inbound M2 (CVE-2020-17456)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/system_log.cgi"; http.request_body; content:"&pingIpAddr="; fast_pattern; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24)/R"; reference:cve,2020-17456; classtype:attempted-admin; sid:2035951; rev:2; metadata:created_at 2022_04_14, cve CVE_2020_17456, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08;)
- →Exploit targets POST requests to /cgi-bin/system_log.cgi with the 'pingIpAddr' parameter containing a shell command injection prefix (semicolon or other shell metacharacter) to achieve unauthenticated RCE. ↗
- →The injection payload in 'pingIpAddr' begins with a shell metacharacter: semicolon (;, %3B), newline (\x0a), ampersand (&, \x26), backtick (`, \x60), pipe (|, \x7C), or dollar sign ($, \x24) — all covered by the M2 Snort PCRE. ↗
- →URL-encoded semicolon (%3B) immediately followed by another percent-encoded character in the pingIpAddr body field is a reliable M1 detection pattern. ↗
- →The exploit also POSTs to /cgi-bin/login.cgi with hardcoded credentials (admin/admin or others) before the RCE step; detecting this login attempt followed by a system_log.cgi POST is a strong behavioral signal. ↗
- →The Nuclei template uses an out-of-band (OOB/interactsh) HTTP callback to confirm RCE; defenders should monitor for unexpected outbound HTTP from router management interfaces. ↗
- ·Multiple sets of hardcoded credentials are present in the firmware and are used by the exploit; these should be treated as known-compromised credentials for any exposed device. ↗
- ·The vulnerability affects all firmware versions of the SLR-120 series according to the second exploit author, not just the specific version (Lync:Mac firmware 1.0.1) noted in the first exploit. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6qx4-682c-qrhq: SEOWON INTECH SLC-130 And SLR-120S devices allow Remote Code Execution via the ipAddr parameter to the system_log
ghsa_unreviewed·2022-05-24
CVE-2020-17456 [HIGH] CWE-78 GHSA-6qx4-682c-qrhq: SEOWON INTECH SLC-130 And SLR-120S devices allow Remote Code Execution via the ipAddr parameter to the system_log
SEOWON INTECH SLC-130 And SLR-120S devices allow Remote Code Execution via the ipAddr parameter to the system_log.cgi page.
VulnCheck
seowonintech slc-130_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2020·CVSS 9.8
CVE-2020-17456 [CRITICAL] seowonintech slc-130_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
seowonintech slc-130_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
SEOWON INTECH SLC-130 And SLR-120S devices allow Remote Code Execution via the ipAddr parameter to the system_log.cgi page.
Affected: seowonintech slc-130_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet; https://cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers; https://cujo.com/blog/the-2022-2023-iot-botnet-report-vulnerabilities-targeted/; https://cujo.com/
Suricata
ET EXPLOIT SEOWON INTECH SLC-130/SLR-120S RCE Inbound M1 (CVE-2020-17456)
suricata·2022-04-14·CVSS 9.8
CVE-2020-17456 [CRITICAL] ET EXPLOIT SEOWON INTECH SLC-130/SLR-120S RCE Inbound M1 (CVE-2020-17456)
ET EXPLOIT SEOWON INTECH SLC-130/SLR-120S RCE Inbound M1 (CVE-2020-17456)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SEOWON INTECH SLC-130/SLR-120S RCE Inbound M1 (CVE-2020-17456)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/system_log.cgi"; http.request_body; content:"&pingIpAddr="; fast_pattern; content:"%3B%"; within:5; nocase; reference:cve,2020-17456; classtype:attempted-admin; sid:2035950; rev:3; metadata:attack_target Networking_Equipment, created_at 2022_04_14, cve CVE_2020_17456, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_03_08;)
Suricata
ET EXPLOIT SEOWON INTECH SLC-130/SLR-120S RCE Inbound M2 (CVE-2020-17456)
suricata·2022-04-14·CVSS 9.8
CVE-2020-17456 [CRITICAL] ET EXPLOIT SEOWON INTECH SLC-130/SLR-120S RCE Inbound M2 (CVE-2020-17456)
ET EXPLOIT SEOWON INTECH SLC-130/SLR-120S RCE Inbound M2 (CVE-2020-17456)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SEOWON INTECH SLC-130/SLR-120S RCE Inbound M2 (CVE-2020-17456)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/system_log.cgi"; http.request_body; content:"&pingIpAddr="; fast_pattern; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24)/R"; reference:cve,2020-17456; classtype:attempted-admin; sid:2035951; rev:2; metadata:created_at 2022_04_14, cve CVE_2020_17456, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08;)
Exploit-DB
Seowon SLR-120 Router - Remote Code Execution (Unauthenticated)
exploitdb·2022-03-11·CVSS 9.8
CVE-2020-17456 [CRITICAL] Seowon SLR-120 Router - Remote Code Execution (Unauthenticated)
Seowon SLR-120 Router - Remote Code Execution (Unauthenticated)
---
# Exploit Title: Seowon SLR-120 Router - Remote Code Execution (Unauthenticated)
# Date: 2022-03-11
# Exploit Author: Aryan Chehreghani
# Vendor Homepage: http://www.seowonintech.co.kr
# Software Link: http://www.seowonintech.co.kr/en/product/detail.asp?num=126&big_kind=B05&middle_kind=B05_30
# Version: All version
# Tested on: Windows 10 Enterprise x64 , Linux
# CVE : CVE-2020-17456
# [ About - Seowon SLR-120 router ]:
#The SLR-120 series are provide consistent access to LTE networks and transforms it to your own hotspot while being mobile,
#The convenience of sharing wireless internet access invigorates your lifestyle, families,
#friends and workmates. Carry it around to boost your active communication anywhere.
# [
Exploit-DB
Seowon SlC 130 Router - Remote Code Execution
exploitdb·2020-08-21·CVSS 9.8
CVE-2020-17456 [CRITICAL] Seowon SlC 130 Router - Remote Code Execution
Seowon SlC 130 Router - Remote Code Execution
---
# Exploit Title: Seowon SlC 130 Router - Remote Code Execution
# Author: maj0rmil4d - Ali Jalalat
# Author website: https://secureguy.ir
# Date: 2020-08-20
# Vendor Homepage: seowonintech.co.kr
# Software Link: http://www.seowonintech.co.kr/en/product/detail.asp?num=150&big_kind=B05&middle_kind=B05_29
# CVE: CVE-2020-17456
# Version: Lync:Mac firmware 1.0.1, likely earlier versions
# Tested on: Windows 10 - Parrot sec
# Description:
# user can run arbitrary commands on the router as root !
# as there are already some hardcoded credentials so there is an easy to trigger exploit
# credentials :
# user => VIP
# pwd => V!P83869000
# user => Root
# pwd => PWDd0N~WH*4G#DN
# user => root
# pwd => gksrmf28
# user => admin
# pwd => admin
#
#
Nuclei
SEOWON INTECH SLC-130 & SLR-120S - Unauthenticated Remote Code Execution
nuclei·CVSS 9.8
CVE-2020-17456 [CRITICAL] SEOWON INTECH SLC-130 & SLR-120S - Unauthenticated Remote Code Execution
SEOWON INTECH SLC-130 & SLR-120S - Unauthenticated Remote Code Execution
SEOWON INTECH SLC-130 and SLR-120S devices allow remote code execution via the ipAddr parameter to the system_log.cgi page.
Template:
id: CVE-2020-17456
info:
name: SEOWON INTECH SLC-130 & SLR-120S - Unauthenticated Remote Code Execution
author: gy741,edoardottt
severity: critical
description: SEOWON INTECH SLC-130 and SLR-120S devices allow remote code execution via the ipAddr parameter to the system_log.cgi page.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected device.
remediation: |
Apply the latest firmware update provided by the vendor to mitigate this vulnerability.
reference:
- https://maj0rmil4d.github.io/Seowon-SlC-130-And-SLR-120S-E
http://packetstormsecurity.com/files/158933/Seowon-SlC-130-Router-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/166273/Seowon-SLR-120-Router-Remote-Code-Execution.htmlhttps://github.com/TAPESH-TEAM/CVE-2020-17456-Seowon-SLR-120S42G-RCE-Exploit-Unauthenticatedhttps://maj0rmil4d.github.io/Seowon-SlC-130-And-SLR-120S-Exploit/https://www.exploit-db.com/exploits/50821http://packetstormsecurity.com/files/158933/Seowon-SlC-130-Router-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/166273/Seowon-SLR-120-Router-Remote-Code-Execution.htmlhttps://github.com/TAPESH-TEAM/CVE-2020-17456-Seowon-SLR-120S42G-RCE-Exploit-Unauthenticatedhttps://maj0rmil4d.github.io/Seowon-SlC-130-And-SLR-120S-Exploit/https://www.exploit-db.com/exploits/50821
2020-08-20
Published
Exploited in the wild