CVE-2019-1653 Cisco RV320/RV325 Router Unauthenticated Configuration Export Vulnerability

Introduction

Vulnerability CVE-2019-1653 allows export of a configuration file from vulnerable Cisco RV320 and RV325 series routers. This could be exploited to gain administrative access to the router.

Device Identification

Identify the vulnerable devices using shodan query:

http.favicon.hash:-299287097 Apache

Shodan Query

Configuration Export

Export the router configuration file by appending /cgi-bin/config.exp to the IP address of the router.

Configuration Export

Authentication Bypass

  • Open the configuration file and get the username and password hash.

  • Start Burpsuite 
  • In Proxy tab click on Open Browser to open Burp embedded browser.
  • Open the router web management url in Burp embedded browser.
  • Turn on intercept in Burp proxy.
  • Enter the username as in configuration file and any password.
  • In the burp proxy Intercept, replace value of password= parameter with hash in configuration file.

  • Forward the request and turn off the intercept to login to the router.


Video



Reference:

https://www.redteam-pentesting.de/en/advisories/rt-sa-2019-003/-cisco-rv320-unauthenticated-configuration-export


Comments

Popular posts from this blog

Extract / Create Cramfs File System from Ubuntu 20.04

Dump memory to file from U-Boot console using Memory Display (md) log

Firmadyne Installation & Emulation of Firmware