cbcvebase.
CVE-2020-29669
published 2020-12-14

CVE-2020-29669: In the Macally WIFISD2-2A82 Media and Travel Router 2.000.010, the Guest user is able to reset its own password. This process has a vulnerability which can be…

PriorityP269high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
4.87%
90.9th percentile
In the Macally WIFISD2-2A82 Media and Travel Router 2.000.010, the Guest user is able to reset its own password. This process has a vulnerability which can be used to take over the administrator account and results in shell access. As the admin user may read the /etc/shadow file, the password hashes of each user (including root) can be dumped. The root hash can be cracked easily which results in a complete system compromise.

Affected

1 ranges
VendorProductVersion rangeFixed in
macallywifisd2-2a82_firmware

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://<rhost>/protocol.csp?function=set
urlhttp://<rhost>/protocol.csp?fname=security&function=set
path/etc/shadow
commandcat /etc/shadow
  • Alert on Telnet session commands issuing 'cat /etc/shadow' — indicates credential dumping of all user password hashes including root.
  • HTTP Referer header 'http://<host>/app/user/guest.html' in a POST to /protocol.csp?fname=security&function=set is a strong indicator of the privilege escalation exploit being executed.
  • ·The exploit targets firmware version 2.000.010 specifically; the guest-to-admin password reset vulnerability via /protocol.csp may not be present in other versions.
  • ·Telnet is enabled by default on this device and is used as the post-exploitation access vector; disabling Telnet would reduce but not eliminate attack surface (HTTP exploitation still possible).

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.