CVE-2020-29669
published 2020-12-14CVE-2020-29669: In the Macally WIFISD2-2A82 Media and Travel Router 2.000.010, the Guest user is able to reset its own password. This process has a vulnerability which can be…
PriorityP269high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
4.87%
90.9th percentile
In the Macally WIFISD2-2A82 Media and Travel Router 2.000.010, the Guest user is able to reset its own password. This process has a vulnerability which can be used to take over the administrator account and results in shell access. As the admin user may read the /etc/shadow file, the password hashes of each user (including root) can be dumped. The root hash can be cracked easily which results in a complete system compromise.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| macally | wifisd2-2a82_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Alert on Telnet session commands issuing 'cat /etc/shadow' — indicates credential dumping of all user password hashes including root. ↗
- →HTTP Referer header 'http://<host>/app/user/guest.html' in a POST to /protocol.csp?fname=security&function=set is a strong indicator of the privilege escalation exploit being executed. ↗
- ·The exploit targets firmware version 2.000.010 specifically; the guest-to-admin password reset vulnerability via /protocol.csp may not be present in other versions. ↗
- ·Telnet is enabled by default on this device and is used as the post-exploitation access vector; disabling Telnet would reduce but not eliminate attack surface (HTTP exploitation still possible). ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/160478/Macally-WIFISD2-2A82-2.000.010-Privilege-Escalation.htmlhttps://drive.google.com/file/d/1PpiRhhfph8U_0KAoIp0AnwY3mVtp-R-g/viewhttps://github.com/S1lkys/CVE-2020-29669http://packetstormsecurity.com/files/160478/Macally-WIFISD2-2A82-2.000.010-Privilege-Escalation.htmlhttps://drive.google.com/file/d/1PpiRhhfph8U_0KAoIp0AnwY3mVtp-R-g/viewhttps://github.com/S1lkys/CVE-2020-29669
2020-12-14
Published